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INFORMATION TECHNOLOGY AT THE VA 


THURSDAY, SEPTEMBER 26, 2002 

House of Representatives, 

Subcommittee on Oversight and Investigations, 

Committee on Veterans’ Affairs, 

Washington, DC 

The subcommittee met, pursuant to notice, at 10 a.m., in room 
334, Cannon House Office Building, Hon. Stephen E. Buyer (chair- 
man of the subcommittee) presiding. 

Present: Representatives Buyer, Boozman, and Carson. 

OPENING STATEMENT OF CHAIRMAN BUYER 

Mr. Buyer. Subcommittee on Oversight and Investigations of the 
House Veterans’ Affairs Committee will come to order on the 26th 
of September, 2002. 

The record shall note that Ms. Carson will be here shortly, and 
that I will go ahead and proceed with opening statements. 

I will permit her to make a statement when she arrives and yield 
her sufficient time. And if she does not arrive, we will proceed with 
the record. She has all of your statements. Your statements will be 
submitted for the record. I will proceed with my opening statement. 

Today, this subcommittee will hold its fourth follow-up hearing 
on the Department of Veterans Affairs information technology pro- 
grams. 

The VA has made considerable progress addressing the IT con- 
cerns of the delivery of benefits to our nation’s veterans and their 
dependents. Secretary Principi has led the VA towards a clearly de- 
fined strategic plan that integrates the planning, funding, project 
execution, and project management oversight of the VA information 
technology. The Secretary’s action in this area is a welcome step 
that I believe is long overdue. 

Over the past decade, we in Congress have authorized and 
appropriated hundreds of millions, literally billions of dollars, to be 
invested in the VA’s IT systems. Unfortunately, little has come 
from this significant expenditure to develop a one system 
architecture. 

As Chairman of the Oversight and Investigations Subcommittee, 
I am particularly pleased that Secretary Principi has little tolera- 
tion for unacceptable business practices that have characterized 
the VA’s IT program over the past decade. 

During our last hearing on March 13, I asked Admiral Gauss, 
and I am paraphrasing: 

“You sit before us as an Admiral, a retired Admiral, in a position 
that you have no distinct line of authority. So I look at you and 
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say if I were in your position, how would I define my authority. I 
sure do not want my service to be purely pastoral.” 

I believe that hearing and the testimony, actually, the state- 
ments from my colleagues, and the possibility of proposed legisla- 
tion to give the Admiral direct line authority, prompted Secretary 
Principi’s decision to boldly reorganize the VA’s information tech- 
nology structure. 

The Admiral now has the type of authority such a position war- 
rants, and I thank the Secretary for his leadership. The mission of 
the VA’s Enterprise Architecture is to develop and implement a 
high performance, One-VA IT architecture that will support the 
VA’s overall strategic goals. 

This vision is clearly articulated in the VA’s Enterprise Architec- 
ture Plan that was approved by Secretary Principi on September 
5th of 2002. The VA’s goal is to “Provide world class service to vet- 
erans and their families through the effective management of peo- 
ple, technology, processes, and financial resources.” 

The One-VA Enterprise Architecture outlined in a detailed report 
issued by the VA Enterprise Architecture Innovation Team in Au- 
gust 2001, is a marked departure from the historic failures of pre- 
vious VA IT programs. 

The primary difference is the VA now has a clearly defined plan. 
The Secretary knows that the failure to execute this plan in a time- 
ly and cost-effective manner is not an option. We are anxious to 
hear about the plans and how Dr. Gauss intends to execute the IT 
program to make it a reality. 

There are several outstanding issues that need to be addressed 
immediately. In an article which appeared in the Federal Computer 
Week dated August 12th of 2002, Secretary Principi acknowledged 
there is resistance. There is a quote he has in this article: 

“There is resistance to embracing the Agency’s Enterprise Archi- 
tecture and the implementation of cyber security initiatives is lag- 
ging.” That is troublesome. 

At our last hearing, we wanted to find out whether or not the 
VA is spending its IT money wisely. Obviously, we now know that 
it is not. Today’s hearing will provide us with the VA’s insight con- 
cerning recent changes made by the Secretary, and how this will 
enhance its ability to move forward with their IT projects. 

We will also hear from the VA’s Inspector General. He will share 
his findings concerning the VA’s Information Technology Security 
Program. The GAO will round out the panels and provide us with 
a critical overview of the VA’s progress in several key areas: Enter- 
prise Architecture, information security, VETSNET, and the gov- 
ernment computer-based patient record program. 

Since the Secretary’s goal of a One-VA is one that is shared by 
members of this subcommittee on a bipartisan basis, we will 
continue to monitor VA’s progress in achieving this important 
objective. 

I now yield to Ms. Carson for any opening comments she would 
like to make. 

OPENING STATEMENT OF HON. JULIA CARSON 

Ms. Carson. Thank you, sir. Thank you very much, Mr. Chair- 
man. 
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I would like to welcome our panelists and guests at this hearing. 
For many of you, it is a return visit from our March 13 hearing 
on this same subject. Much has happened in the past 6 months re- 
garding the VA’s approach to managing its IT. Much has happened 
from a change management perspective. 

At our March meeting, the VA IT experts doggedly defended 
their existing system for flexibly managing the tremendous IT port- 
folio of “One-VA.” Central to these management flexibility protocols 
was the fact that neither the Chief Information Officer nor the 
Chief of Sovereign Security Executive had direct line authority over 
any IT managers in the field. 

There were dotted lines on the organization chart where there 
should have been solid lines. Many on this dais, and several expert 
witnesses, questioned the adequacy of what some saw as IT man- 
agement by gentle persuasion. Our concerns initially sprang from 
disheartening data involving the lack of training accomplishments 
of information security officers in the Veterans Benefits Adminis- 
tration. Without centralized IT leadership, only 40 percent had 
completed the short online training program one year after being 
directed to do so. The program takes between 5 and 20 hours to 
complete. Why was there no sense of urgency to complete training? 

Both the IG and the GAO had pointed out problems with VA 
information security. We did not have long to wait for the next in- 
dicator of a problem. This one in my hometown, Indianapolis, Indi- 
ana, came to light in May of this year. VA had released sensitive 
information about veterans, including Social Security numbers, 
credit card numbers, and specific and personal medical 
information. 

It appeared that the folks in the field were not taking the folks 
at the Central Office seriously about IT security. A high percentage 
of IT security folks were still in training status, and guidance pa- 
pers for dealing with IT were flooding the field from many direc- 
tions. Everyone wanted a say. 

On May 21 , I wrote to the Secretary and very strongly indicated 
my displeasure with VA’s lack of centralized IT control for cyber se- 
curity. I am so pleased the Secretary heard my message. On Au- 
gust 6, he and Admiral Gauss took powerful and warranted steps 
to align vital IT functions and give the VA Central Office the au- 
thority to reasonably oversee IT in the field. 

I am fully aware that this sea change in IT management was a 
painful decision. It is sometimes easier to criticize from outside the 
system than to act within the system. Your change actions altered 
the culture, and that took courage, and I applaud you. 

Obviously, you need time to find your feet and catch your bear- 
ings under your new IT management system. From an organiza- 
tional management perspective, I think it is inappropriate to ques- 
tion IT management system accuracy at this time. But I wish to 
better understand the past and where the cyber experts believe the 
department is heading with regards to IT. 

Since it has only been 22 days since the Secretary approved the 
VA’s Enterprise Architecture, Version 1.0, we will give you some 
time and wish you Godspeed to succeed. 

I would like to open the door into one specific area of interest 
today, more to broach the topic and to get background information 
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than to open a full investigation today. VA has several failed IT 
projects that can be likened to skeletons in its collective closet. We 
have heard of the setbacks of VETSNET, and today wish for a 
progress report. Least known, but in some ways more troubling, is 
a system known as “HR Links.” My colleague, Mr. Evans, has re- 
ceived a letter from IG. Upon their second review, it seems that no 
one was accountable for the failed HR Link System. Mr. Griffin, 
the VA IG, states in his 30 August 2002 letter, “Clearly, there was 
a lack of oversight and accountability of project management.” For 
a failed system with a quarter of a billion dollar price tag, that is 
not acceptable. 

Today, under new IT management, VA is embarking on new so- 
lutions regarding changes to the IT portfolio. While this is happen- 
ing, the provisions of Clinger-Cohen must be met, milestones estab- 
lished and met. And someone must keep one eye on finances. Con- 
tracts for IT must assure our taxpayers a bang for their dollar. I 
am interested in how this will work under the new “One-VA.” 

And, Mr. Chairman, I would yield back the balance of my time. 
And thank you very much for your patience in listening to my 
concerns. 

Mr. Buyer. Mr. Boozman. 

Mr. Boozman. I do not have any questions. I just want to thank 
you and the ranking member for convening the meeting today, and 
really look forward to the testimony. 

Mr. Buyer. Thank you. I would like to recognize some visitors 
we have in the audience here today from Russia. With us today is 
a delegation from the Russian Duma, and you are here to learn 
about our veterans’ programs, legislative process, and how the 
oversight committee in fact works. 

With us is Mr. Igor Ligachev. Please stand. Thank you, sir. He 
is the Deputy Chairman of the Committee on Veterans’ Affairs 
within the Russian Duma. We have Mr. Valeri Dorogin and Mr. 
Ivan Zakharov. Thank you, gentlemen, for being with us today. 

I have had the distinct pleasure of visiting St. Petersburg and 
Moscow. I have worked with the Defense Committee within the 
Duma, and have visited the White House within Moscow. It was 
a very enlightening experience. 

We began to lay down, in 1993, cooperative agreements to begin 
a mutual destruction of chemical munitions. And I am most hopeful 
that our continuing relationship on that issue with the Nunn-Lugar 
dollars will continue. And I appreciate your leadership on the 
issues of weapons of mass destruction and non-proliferation. 

We were allies in World War 11. There was great sacrifice by 
Russia, by your people, not just your men in arms and women, 
great sacrifice. It was unfortunate that we had parted ways for 40 
years, and had a standoff and viewed ourselves as enemies; and 
that was unfortunate, at great cost not only unto the former Soviet 
Union, but also unto our own country. 

As we now stand as leaders of a new century, I welcome you here 
to the United States. We welcome your openness, as you also wel- 
come us to visits of your country. I believe that as each of us seek 
the greater understanding and wise tolerance, we, as two countries 
that can help lead the world to an everlasting peace, that will be 
the shining example of our efforts. 
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So I appreciate your being here today, and please pass on to your 
veterans our appreciation from World War II, and as we move in 
concert to bring peace into the world. Thank you. 

To our panel today, I would like to recognize Mr. Joel 
Willemssen, Managing Director, Information Technology Issues of 
the U.S. General Accounting Office; Mr. Richard Griffin, the In- 
spector General of the Department of Affairs. 

Mr. Slachta, nice to see you back. We are working you overtime, 
I think. And, Ms. Melvin, also, is with us, she is with the GAO. 
Mr. Griffin, you may proceed. You are recognized for 5 minutes. 

STATEMENT OF RICHARD J. GRIFFIN, INSPECTOR GENERAL, 
DEPARTMENT OF VETERANS AFFAIRS, ACCOMPANIED BY 
MICHAEL SLACHTA, JR., ASSISTANT INSPECTOR GENERAL 
FOR AUDIT; AND JOEL C. WILLEMSSEN, MANAGING DIREC- 
TOR, INFORMATION TECHNOLOGY ISSUES, GENERAL AC- 
COUNTING OFFICE, ACCOMPANIED BY VALERIE MELVIN, AS- 
SISTANT DIRECTOR FOR ACCOUNTING AND INFORMATION 
MANAGEMENT ISSUES 

STATEMENT OF RICHARD J. GRIFFIN 

Mr. Griffin. Thank you, Mr. Chairman. 

Mr. Chairman and members of the subcommittee, I am here 
today to report on our findings concerning the Department of Vet- 
erans Affairs Information Technology Security Program. 

Since our March 13, 2002, testimony to the subcommittee, we 
completed a second national audit of VA’s IT security program. The 
audit found that the Department has a number of initiatives in 
process which, if fully implemented, will improve VA’s information 
security posture. 

A few examples of key department actions include: Establish- 
ment of a VA-wide security plan and the required policies, proce- 
dures, and guidelines mandated by the Government Information 
Security Reform Act; implementation of a VA-wide anti-virus pro- 
tection; staffing of information security officer positions; and cen- 
tralization of the Department’s IT security program under the Of- 
fice of the Chief Information Officer. 

Although progress has been made, much work remains to imple- 
ment key IT security initiatives, establish a comprehensive inte- 
grated VA-wide security program, and fully comply with the re- 
quirements of the Government Information Security Reform Act. 

Penetration testing completed during the past 2 years verified 
that VA’s information system could be exploited to gain access to 
sensitive veteran health care and benefit information. In response 
to last year’s testing, the Department strengthened security con- 
trols at the facilities where we conducted our testing. During this 
year’s follow up testing at these same sites, the security control 
measures established prevented our external penetration attempts. 

However, continuing automated system control vulnerabilities al- 
lowed our internal penetration testing to gain access to sensitive 
veteran benefit and health care information. The vulnerabilities ex- 
ploited this year were present during our previous testing a year 
ago. 
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The Department has not taken appropriate corrective action to 
eliminate these vulnerabilities in response to last year’s findings. 
The nature and number of vulnerabilities found warrant immediate 
attention to reduce the significant exposure and high risk of an in- 
ternal attack. 

The Department’s administration and staff offices have individ- 
ually managed and controlled their Information Security Program 
activities. Our security assessment results show that this decen- 
tralized management approach has not worked. 

Many security vulnerabilities identified in last year’s audit re- 
main unresolved, and additional security vulnerabilities were iden- 
tified this year. The Department’s decentralized management ap- 
proach to information security impeded the Department’s ability to 
successfully strengthen its overall security posture. 

We met with the Department CIO on July 22, 2002, and advised 
that we would be recommending that the Secretary centralize au- 
thority for the implementation of security remediation efforts to the 
CIO’s office. This centralization of authority would include manage- 
ment and decision authority on all Department security remedi- 
ation efforts. 

We had previously recommended centralized oversight in a prior 
year’s audit. On August 6, 2002, the Secretary issued a memoran- 
dum centralizing the Department’s IT Security Program including 
authority, personnel, and funding in the office of the Department’s 
CIO effective October 1, 2002. 

Based on the results of our second annual audit of VA’s IT Secu- 
rity Program, we made several recommendations to the Depart- 
ment’s CIO, to include the following actions: (1) install intrusion 
detection systems nationwide; (2) complete infrastructure protec- 
tion actions; (3) complete data center contingency planning; (4) 
complete certification and accreditation of VA systems; (5) upgrade 
or terminate external connections; (6) eliminate vulnerabilities in 
the application program and operating system change controls; (7) 
control physical access to computer rooms; and (8) identify budget 
resources necessary to accomplish VA’s priority security remedi- 
ation efforts in the next 12 months. 

In addition, the CIO must require the administrations to correct 
identified security vulnerabilities at their facilities and data cen- 
ters, improve security awareness at the operating level, and high- 
light the need to assure compliance with existing VA information 
security policy, procedures, and controls. 

In deference to our Russian visitors, there is an expression, 
doveryai, no proveryai, which means trust, but verify. The Depart- 
ment has an excellent plan in place. We will continue to verify that 
the implementation of that plan occurs and occurs timely. 

This concludes my testimony. I would be pleased to answer any 
questions that you and the members of the subcommittee may 
have. 

Mr. Buyer. I now yield to Mr. Willemssen, the GAO. I don’t want 
to interrupt the testimony. 

STATEMENT OF JOEL C. WILLEMSSEN 

Mr. Willemssen. Thank you, Mr. Chairman, ranking member 
Carson, Congressman. Thank you for inviting GAO to testify today. 
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As requested, I will briefly summarize our statement on VA’s 
progress in addressing key information technology challenges since 
we last testified before you in March. 

Over the past 6 months, VA has demonstrated clear progress and 
made important strides in improving critical IT areas. For example, 
the Secretary’s recent announcement on realigning the Depart- 
ment’s IT structure can set the stage for improved performance. 

Although yet to be finalized, the Secretary’s decision to centralize 
IT functions, programs, and funding under the Department-level 
CIO, Dr. Gauss, can improve accountability and enable the Depart- 
ment to truly implement and deliver on its One-VA vision. 

Further, the additional oversight that is provided to the CIO 
could positively influence VA’s ability to more effectively capture 
and manage its IT investments. VA also continues to make great 
progress in developing its Enterprise Architecture, which is its 
blueprint for evolving its information systems and developing new 
systems. 

Secretary Principi recently approved the initial version of VA’s 
Enterprise Architecture focused on defining the Department’s as-is 
or current environment and its desired or to-be, target environ- 
ment. At the same time, VA still needs to complete some critical 
actions to successfully complete this endeavor. 

Among those actions, it needs to select a permanent chief archi- 
tect, and needs to establish a program office to facilitate, manage, 
and advance the architecture. In another critical area, VA’s infor- 
mation security continues to be of significant concern, but the De- 
partment is making progress in strengthening this program. 

Included among the actions it has taken is an expansion of De- 
partment-wide incident response and analysis capabilities and 
monitoring and detection activities. Nevertheless, VA has not yet 
established a comprehensive computer security management pro- 
gram that would include, among other things, routinely monitoring 
and evaluating the effectiveness of security policies and controls. 
Eurther, VA lacks an independent component to ensure validation 
of the corrective actions taken. 

Compared to the organizational accountability and control in En- 
terprise Architecture, the Department has not yet made as much 
progress in addressing the challenges associated with the replace- 
ment of compensation and pension payment system; VETSNET is 
the replacement effort. 

Now to its credit, the VA is acting to improve accountability, 
validate requirements, and focus on testing of the replacement sys- 
tem. Nevertheless, after more than 6 years of effort, full implemen- 
tation of this system is not envisioned before 2005. 

This means that more than 3 million compensation and pension 
benefits payments that VA makes each month will continue to de- 
pend on an aging system that will need additional maintenance to 
ensure continued accurate processing of payments. 

Finally, with regard to the government computer-based patient 
record initiative intended to share patient health data, VA and the 
Department of Defense have made progress on this, as part of a 
substantially revised, scaled down strategy. 

As part of this new strategy, staff in VA medical facilities 
throughout the country now have access to defense health data on 
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separated service members. Two-way exchange of such information 
between DOD and VA under the revised initiative is now planned 
for 2005. 

That summarizes my statement, and we would be pleased to ad- 
dress any questions you may have. Thank you. 

[The prepared statement of Mr. Willemssen appears on p. 34.] 

Mr. Buyer. This line of “Concurrent with this effort, Depart- 
ment-wide IDS, the intrusion detection systems capability will be 
incrementally deployed on a strategic basis to provide significantly 
increased security protections for these gateways.” 

I’m sorry. But my intellect is being challenged. Help me out. 

Mr. Griffin. I’m sure Dr. Gauss can give the one hundred per- 
cent response to that, but I think it is a combination of prioritizing 
the order in which you address weaknesses based on the greatest 
threat, but also considering available budget dollars. 

Mr. Buyer. I am going to ask Dr. Gauss, but I’m just curious. 
I mean you have got to read the same stuff I do. 

Mr. Griffin. I read that and I 

Mr. Buyer. “On a strategic basis,” what does that mean? Is this 
bureaucratic wordspeak, or what is it? 

Mr. Griffin. Well, I think you have to have a strategic plan and 
you have to decide, “Okay. Where is our greatest vulnerability? 
And we need to fix that first.” 

Mr. Buyer. All right. 

Mr. Griffin. But that is just my read of the language there. I 
am sure Dr. Gauss 

Mr. Buyer. All right. 

Mr. Griffin (continuing). Will speak eloquently about it. 

Mr. Buyer. Were you a punter in football? 

Mr. Griffin. No, I just do not like to speculate with someone 
else’s words. 

Mr. Buyer. You know what? That is what we have to do. We 
have to interpret words. We have the author here, and I am going 
to ask him. 

Mr. Griffin. Right. 

Mr. Buyer. But I was just curious what you thought. 

Mr. Griffin. Well 

Mr. Buyer. You have been deep into this stuff. I am not here to 
put you on the spot or 

Mr. Griffin. No, I understand. 

Mr. Buyer. All right. Mr. Griffin, in your opinion, what should 
VA be doing right now to shore up its vulnerabilities relating to 
outside penetration? 

Mr. Griffin. They need, as I just mentioned, to establish their 
priorities based on the greatest known vulnerabilities. As I men- 
tioned in my testimony, there were sites that we had penetrated 
last year during our audit which we went back and retested this 
year. 

So those particular sites that were demonstrated to have been 
vulnerable a year ago were made priorities, and the proper protec- 
tions were put in place to preclude external penetration. That is 
something that needs to be implemented. 

Mr. Buyer. What barriers are present for the implementation of 
these external system protections? 
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Mr. Griffin. I think it is a combination of factors. Certainly, 
budget is a one consideration . How much money is going to be 
available to do these things immediately? Each year we identify 
and prioritize those things that we think need to be addressed in 
the next 12 months. That is the basis for the list that we have pro- 
vided in our written testimony. 

As you suggested, there needs to be compliance or a buy-in from 
all of the people in this huge decentralized department to the fact 
that the Secretary has decided we are going to have centralized 
control. 

The Secretary has directed that we will have ISOs at every facil- 
ity; and ISOs, Information Security Officers, not just in title, but 
people who have been properly trained to perform their mission, 
and who understand the Department’s policy and will make sure 
it happens at their facility. 

Mr. Buyer. The GAO, on page 19 of your testimony, you state 
that, “The VA must also still develop a program management plan 
to delineate how it will develop, use, and maintain, the Enterprise 
Architecture.” You further state that, “Such a plan is integral to 
providing a definitive guidance for the effective management of the 
Enterprise Architecture Program.” 

And I guess I am confused because, according to Dr. Gauss, they 
have developed and will implement a version 1.0 of the One-VA es- 
tablished — which establishes ten enterprise business functions and 
seven key enabling functions. 

Don’t these business and enabling functions provide the manage- 
ment tools necessary to start the process for implementing the VA’s 
Enterprise Architecture? 

Mr. WiLLEMSSEN. They do, in part, provide the tools. And I 
would commend VA on its excellent effort in putting together that 
initial architecture. But in order to be an effective architecture, it 
has got to be something other than a document in a binder. It must 
be implemented. 

To do that, among other things, you need a chief architect. You 
also need a program management office that is going to implement 
the architecture and enforce it so that, among other things, when 
a particular entity, for example, wants to develop a new system, 
the office is there as a control and a check, “Does this map to the 
architecture, the direction we want to head?” 

So, again, I commend VA on an excellent effort in putting the ar- 
chitecture together. But now, from this point forward, in addition 
to getting into more details about, VA is going to have to imple- 
ment it and make it happen, and make it be more than just paper. 

Mr. Buyer. Did you get any feedback from the VA relative to 
this testimony and recommendation? 

Mr. WiLLEMSSEN. In fact, our recommendations, our outstanding 
recommendations in today’s testimony are consistent with the long 
list that we provided to VA back in March. And in talking about 
this with Dr. Gauss, in all of the areas we have not met any resist- 
ance. 

I would say the biggest hurdle that Dr. Gauss has right now is 
time. I think they have made great progress over the last 6 months 
but they still have a lot of things to do. He and I have talked about 
not only having the road map that we have laid out in the Enter- 
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prise Architecture and information security areas, but now the next 
step is let’s put some timelines and milestones on those tasks that 
he feels he can be held accountable to. 

I think that would be an excellent step in the right direction. 

Mr. Buyer. That is good counsel. 

Mr. Boozman, you are recognized for 5 minutes. 

Mr. Boozman. In your testimony, you talked about penetrating, 
you know, the system. I know there is patient records. There is 
benefits and things like that. 

I mean what — have we had problems like that in the past of — 
as far as benefits that were not supposed to be paid? 

Or, I guess what I am asking is, if somebody penetrates the sys- 
tem, what — are we talking about stealing patient records? Are we 
talking about — what is the downside? 

Mr. Griffin. Well, there is risk on both the VBA and VHA side 
of the house. In VHA, the risk is access to privacy-protected medi- 
cal records. 

And in today’s world, where identity theft is unfortunately a fair- 
ly prevalent activity, by being able to gain all of the identifiers for 
a person, it is fairly simple to establish yourself under their iden- 
tity and perpetrate any number of different types of fraud. 

On the benefit side a person could access the system and gen- 
erate unauthorized payments to fictitious payees. 

Mr. Boozman. Has that been a problem? I mean is that some- 
thing that we know about, or 

Mr. Griffin. Well, that is something we demonstrated that that 
could be done. We have had some criminal cases the past couple 
of years that involve people manipulating the benefits delivery net- 
work to issue checks in the names of the people who had died 
many years ago, and so on. 

So it is a problem. Although, we have not had a massive number 
of incidents, the capability exists. 

Mr. Boozman. Right. You said that we had done better as far as 
the external penetration, that the tests were good there. The inter- 
nal, we are still lacking. 

What kind of timeframe do you feel like would be adequate to get 
that squared away? 

Mr. Griffin. Based on our successful penetration and manipula- 
tion in the benefits arena, I think that needs to be a high priority. 
Whether that can be accomplished in the next 12-month time pe- 
riod, I am not certain. 

Mr. Boozman. Okay, very good. Thank you. 

Mr. Buyer. I ask unanimous consent to permit the counsel for 
the minority to ask questions. Hearing no objection, so ordered. 

Mr. Sister. Thank you very much, Mr. Chairman. I have two 
quick questions about management controls under One-VA. The 
first question I will ask to Mr. Griffin. You are familiar with the 
new plan for centralized cyber security. My question to you is: Does 
that plan have adequate reach to the field? Is there an adequate 
feedback loop established between the furtherest reaches of the 
field and the Central Office regarding cyber security oversight en- 
forcement reporting? 

Mr. Griffin. As you know, this plan has just been promulgated 
in the last 30 days. I know that the administration CIOs have been 
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given the title of deputy under Dr. Gauss’s purview. And there is 
a plan that will reach into the facilities down to the ISO level. 

I know there has been a first ever meeting of the security offi- 
cers, independent of their respective facility directors, who they 
had always taken their marching orders from in the past. 

Again, a plan has been crafted, but the proof will be in the follow 
up to make sure that appropriate reporting requirements are in 
place, and that the people in the field realize that this is not a pol- 
icy to put on the shelf never to be heard from again. It has got to 
be rigidly enforced. 

Mr. SiSTEK. Thank you. This question would be for either the IG 
or the GAO. And, again, it is about management accountability. 

There was a system that has recently been discontinued called 
the HR Links System. And I understand that both the IG and GAO 
are somewhat familiar with this system. We believe that there may 
have been inadequate oversight of the HR Links System while it 
was in production. 

What safeguards are now in place under the One-VA Enterprise 
Architecture to prevent any similar oversights, any similar lack of 
management control? 

Mr. Griffin. I think the centralization move is probably the key 
move in order for there to be accountability at the headquarters 
level. This ensures you won’t have 160-some medical centers, and 
58 ROs, and a number of cemeteries picking and choosing hard- 
ware, software, and systems that they might have a bias for locally. 

From the accountability standpoint — and HR Links, which went 
on for several years, there were initially two different people serv- 
ing as co-leaders of the initiative. The baton got passed several 
times. 

I think there were promises made regarding the capabilities of 
some of the software, which turned out not to be legitimate claims 
as to the volume they could process. They eventually learned that 
the programs would not handle the VA’s processing volume. 

Mr. SiSTEK. You are comfortable that such a set of problems 
would not — you could not construct a similar set of problems under 
the new Enterprise Architecture because of the centralized 
authority? 

Mr. Griffin. I think the centralized authority is key. But not to 
lose sight of the requirements and the fact that we are going to be 
doing annual audits, and that GAO is also going to be looking at 
this activity. 

My people, who work in the IT security area, are working very 
closely with Dr. Gauss’s people. Everybody knows what the mission 
is, they know that we are going to be monitoring progress and de- 
termining whether things are being accomplished timely. 

I think there is a good working relationship from the standpoint 
of our oversight and their mission requirements. 

Mr. SiSTEK. Thank you. Mr. Willemssen, do you have any in- 
sights into this? 

Mr. Willemssen. Yes, what I would add to that is that a key 
control that Dr. Gauss is planning to put in place is with his new 
responsibility for direct oversight of the one billion plus in IT fund- 
ing. He is going to be asking for specific spend plans from each of 
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the administrations, so that he will now have something that prior 
CIOs have not had — he will know where the money is being spent. 

That has not been the case in the past. I can recall testimony I 
gave before the subcommittee a couple of years ago, where a ques- 
tion was asked about how much money is being spent. The ques- 
tion could not be answered. With this organizational setup, and 
with his plans. 

VA will have got a mechanism and procedures set up where he 
will have that insight to where the money is being spent and what 
is being successful, and what is not being successful. And when it 
is not being successful he will be in a position to cut the project. 

Mr. SiSTEK. Thank you very much. I yield back. Thank you, Mr. 
Chairman. 

Mr. Buyer. I am going to be asking Dr. Gauss this question. But 
I am curious about whether it is the software or hardware manu- 
facturers out there; or whether it is relicensing issues. 

In a tough economic time, I can understand how some companies 
might want to fight to hold on to what they have, for whatever 
short-term, and not see the horizon, and what benefits can be there 
later on. 

Have you noticed anything out there where companies have not 
been at all cooperative? 

If you don’t know, just say you don’t know, and I will get into 
this with Dr. Gauss. 

Mr. WiLLEMSSEN. Nothing comes to mind at this point, Mr. 
Chairman. 

Mr. Buyer. All right. I will have follow-up questions that I will 
submit for the record. And I appreciate your testimony and the 
work — not only yours, but that of your staff. Thank you for your 
testimony. 

Mr. WiLLEMSSEN. Thank you. 

Mr. Grifein. Thank you, Mr. Chairman. 

Mr. Buyer. I now recognize Panel 2, Dr. John Gauss, Assistant 
Secretary, Veterans’ Affairs for Information and Technology. I ask 
you. Admiral Gauss, do you like going by Admiral or Doctor, or 
Secretary, or what do we call you? 

Mr. Gauss. Mr. Chairman, the reason I have put my former mili- 
tary title aside is that when Omar Bradley was the head of the 
Veterans Administration, he had a policy that senior officers should 
put their titles aside, since there were so many veterans who were 
working at the VA. And I chose to honor that tradition. And since 
I had another title that had been suppressed for 32 years, I decided 
to resurrect it. 

Mr. Buyer. Doctor, okay. How about Secretary? 

Mr. Gauss. Yes, sir, that would work, too. 

Mr. Buyer. Dad is the best title, though, isn’t it? 

Mr. Gauss. Sir? 

Mr. Buyer. Dad is the best title. That is what I have found. 

Dr. Gauss, Secretary, Admiral, you are now recognized for 5 
minutes. 
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STATEMENT OF JOHN A. GAUSS, ASSISTANT SECRETARY FOR 

INFORMATION TECHNOLOGY, DEPARTMENT OF VETERANS 

AFFAIRS, ACCOMPANIED BY BRUCE A. BRODY, ASSOCIATE 

DEPUTY ASSISTANT SECRETARY FOR CYBER SECURITY, AND 

FRANK A. PERRY, CHIEF TECHNOLOGY OFFICER 

Mr. Gauss. Thank you, Mr. Chairman, and members of the sub- 
committee. On behalf of the Secretary of Veterans Affairs, I am 
pleased to have this opportunity to come here today and update 
you on the progress the Department has made in strengthening our 
information technology program, and specifically address issues re- 
lated to VA’s Enterprise Architecture, our cyber security program, 
the recent realignment of the Department’s IT structure, and 
issues raised at the March 13 hearing. 

Since my testimony is quite lengthy, I would like to summarize 
it in my opening statement. On March 13, I appeared before this 
subcommittee and gave you my personal commitment to reform the 
way VA uses information technology. 

I committed to publishing an approved Enterprise Architecture 
Implementation Plan by April 30. The plan was published on April 
22nd. I committed to ensuring that our networks and systems we 
depend upon are made secure and available. These efforts are in 
execution. 

I committed to personally overseeing VETSNET to ensure its 
progress meets the projected time of being ready to deploy by April 
of 2004, or recommending to the Secretary that the effort be 
terminated. 

In my written testimony, there are details that support the ac- 
tions that we have taken on VETSNET. The Undersecretary of 
Benefits and I have recommended to the Secretary that he continue 
in fiscal year 2003, since I believe they are on a glide path to be 
ready for deployment by April of 2004. 

And, finally, I committed to conducting the deployment review 
for the Government Computer Patient Records Program to ensure 
a quality product could be effectively deployed. The review was 
held on April 26. The product was successfully deployed between 
May 27 and July 17 of this year. 

With respect to GCPR and the other issues that had been identi- 
fied in the GAO reports, I believe we have satisfactorily addressed 
all remaining issues as addressed in my written testimony. 

With respect to Enterprise Architecture, the Secretary approved 
version 1.0 on September 5. It provides a clear pathway for the 
transition of both business processes and information technology 
across the Department. 

Additionally, staffing has been approved for the Enterprise Ar- 
chitecture Office to include a Senior Executive Service Chief Archi- 
tect. Recruitment for those positions is underway. Further detail 
relating to the Enterprise Architecture efforts are contained in my 
written testimony. 

To correct our data network deficiencies discussed in the March 
13 hearing, we are executing a four phase project to re-architect 
our data network. That effort is underway, in execution, and de- 
tails are in my written testimony. 
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With respect to cyber security, the Department has made signifi- 
cant progress in correcting deficiencies identified by the Office of 
the Inspector General and the General Accounting Office. 

This year, the Department fielded one of the largest anti-virus 
capabilities in the world, which protects over 140,000 desktop 
computers connected to VA’s intranet from malicious attack. To 
date, over 2 million viruses have been successfully detected and 
eradicated. 

In July, a multi-year contract to significantly upgrade the capa- 
bilities of our VA central incident response capability was awarded. 
This enhanced capability will provide such global services as fire- 
wall and intrusion detection management, vulnerability assessment 
done by our office, and penetration testing done by our office. 

In addition to the anti-virus and incident response capability ef- 
forts, the Department is continuing to deploy other specifically fo- 
cused initiatives that have been developed over the past 6 months 
to correct IT security weaknesses. 

These programs include our Enterprise Cyber Security Infra- 
structure Protection Program, and our newly established Cyber Se- 
curity Professionalization and Compliance Programs. Details of 
these three programs are contained in the written testimony. 

In a memorandum signed by the Secretary on August 6, he di- 
rected that all IT personnel and resources be centralized under the 
Office of the Chief Information Officer. The first action I took was 
to assign the administration chief information officers to become 
Department Deputy CIOs for Health, Benefits, and Memorial 
Affairs. 

Also, the senior IT manager in each VA Central Office staff office 
that operates or maintains IT networks and equipment now report 
to me. Initially, I focused on establishing a clear unambiguous re- 
porting chain for the Department’s cyber security efforts. 

We have developed an organizational structure that combines the 
cyber security staff elements of the administrations with the Cen- 
tral Office’s cyber security staff, thereby creating a single inte- 
grated cyber security program office for the Department. 

Further, information security officers at the VHA VISN level, 
and at the VBA network service center level will become direct re- 
ports to the Office of Cyber Security early next fiscal year. 

Within each hospital regional office and cemetery, the ISOs will 
report directly to their respective facility director rather than the 
inconsistent manner of reporting of the past. 

In order to further consolidate, align, and properly staff our IT 
organizations, I have convened a group of senior leaders from the 
Department to develop a detailed reorganization package to submit 
to the Secretary by no later than November 1. 

I hope I have provided some insight as to the progress that has 
been made since the March 13 hearing. I believe these efforts dem- 
onstrate our very strong commitment at all levels to build an effec- 
tive information technology program to meet the Department’s and 
our veterans needs for the long-term. 

With your assistance, we will be able to continue on this path to 
assure our continued ability to service our veteran population and 
their dependents. Thank you for this opportunity to discuss these 
very important issues. I will be happy to answer any questions. 
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[The prepared statement of Dr. Gauss appears on p. 75.] 

Mr. Buyer. Secretary, what specific quantifiable commitments is 
the VA willing to make to the subcommittee on a full scale imple- 
mentation of the One-VA architecture, and how long will it take, 
and how much will it cost? 

Mr. Gauss. Mr. Chairman, with the publishing of version 1.0, we 
have identified the key business functions and key enabling func- 
tions for the Department and decomposed them into their subfunc- 
tions. Version 1 was not able to define the entire “to be” future of 
the Department; rather, it focused on seven key areas. 

Within those seven key areas we can commit to having our net- 
works modernized, which was one of the seven key areas, by Sep- 
tember of 2004. We can commit to having our enterprise Cyber Se- 
curity Infrastructure Protection Program completed by September 
of 2004, and fully implemented. 

Mr. Chairman, when we dissect that program, it is possible folks 
would say, “Well, why are you waiting until 2004?” That is the ab- 
solute latest date, and we will try to accomplish it much, much 
sooner than 2004. 

We have in our 2004 budget 

Mr. Buyer. Excuse me. 

All right. Go ahead. 

Mr. Gauss. We have in our 2004 budget’s submission request to 
the Office of Management and Budget the requested dollars for ini- 
tiating new projects focused on consolidating the eight different 
ways that we register veterans and determine their eligibility, to 
consolidate the five different ways that veterans can seek help on 
the processing of their benefits claims and for medical care from 
five processes to one. If approved those projects will start with 
some seed money in 2003, and start for real in fiscal 2004. 

The Department can also commit to completing the management 
plan that the General Accounting Office talked about over the next 
6 months and continue the evolution of that architecture to expand 
it to include the “to be” structure for other business areas in an up- 
grade mid-year and final version 2.0 late in the spring. 

Mr. Buyer. Thank you. Mr. Boozman, do you have any ques- 
tions? You are recognized for 5 minutes. 

Mr. Boozman. I guess I just have a quick comment, and maybe 
you can comment on it. You know this problem just seems to be 
central. And I think homeland security has brought it out that we 
have a real problem because of the fact that, you know, our com- 
puter technology is changing, and this and that, that our agencies 
aren’t able to talk to each other. And they are certainly not doing 
a good job of communicating with, you know, among themselves. 

Mr. BuYER.But I guess my question is we are spending all of this 
money. You know, we have sent a man to the moon. You know, we 
have done all of these things. I just don’t understand why we can’t 
get this fixed, in the sense that it seems like we almost, at this 
point, almost need a national initiative, you know, where we step 
in and focus not just for your agency, but all of these agencies and 
try and get a system that the government can use systemwide be- 
cause you all have got the same problem. 

Mr. BuYER.See what I am saying? 

Mr. Gauss. Yes, sir. 
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Mr. Boozman. Much like, you know, like the NASA Program, 
again, you will fix that effort for us. I really see that we need some 
intervention. We are spending an awful lot of money among all of 
these agencies. And, again, as the technologies change and staff, 
you know, that still does not guarantee that we are going to he able 
to talk to each other. 

Mr. Gauss. Yes, sir. We do spend a lot of money across govern- 
ment on infrastructure-related items. When I talk about data net- 
works, that is the plumbing to make the information move, there 
is nothing exciting about the plumbing, but we spend far too much 
money on the plumbing. 

If you are going to protect your data, and you are going to protect 
your applications, you really have to know what your plumbing is 
so you can put the protection for the movement of that information 
on it. But that is another infrastructure problem that is not 
glamorous. 

And I agree with you, sir, that it is a far reaching problem be- 
yond just the Department of Veterans Affairs. But being the larg- 
est civilian department in government with over 220,000 employ- 
ees, we represent a large part of that problem. And that is why we 
are focusing on getting our network squared away, so we can in 
fact secure information and reduce the reported vulnerabilities 
from our Office of the Inspector General, and the General Account- 
ing Office. 

Mr. Buyer. Okay, thank you. Minority counsel is recognized. 

Mr. Sister. Thank you again, Mr. Chairman. 

Dr. Gauss, oversight of the ISO community under the new plan 
does not extend to all field level activities. In other words, an ISO 
at a medical center would not have direct line authority linked to 
either you or to your cyber security chief. 

Do you think the current system is adequate and why? 

Mr. Gauss. I truly believe that by consolidating the headquarters 
cyber security programs into a single program for the Department, 
and having field representatives within the VISNs and within in- 
termediate field structure for VBA, that we have the tools to pro- 
vide the individual ISOs at the hospitals and regional offices with 
the direction, the oversight, and the inspection of their work. 

As I stated in my testimony, we will be requiring weekly reports 
from those ISOs to the intermediate management areas that then 
go up to Mr. Brody’s office for adjudication. There is an interesting 
trade space here, in terms of accountability. 

Mr. Sister. Okay. 

Mr. Gauss. If we believe that the individual director should be 
held accountable for the mission, then the individual director 
should have the tools necessary to do it. The flip side says there 
is a potential conflict from an independence standpoint. But I think 
if we look at the alignment we had last March, to the alignment 
we will have come 1 October, we will make significant progress. 

Mr. Sister. One quick question, different area, the finance proc- 
ess, how you finance and track IT projects in the VA is probably 
going to undergo a change as a result of your move to One-VA. 

What would facilitate that? How else can that process be im- 
proved on? Would a separate budget, for example, be a useful item? 
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Mr. Gauss. To answer the first part, we are requiring the sub- 
mission of financial execution plans prior to the start of the fiscal 
year that outline in detail what is going to be done, who is going 
to do it, how much is going to be spent, and when it is going to 
be spent. 

And I am pleased to report that I have already received the fiscal 
2003 spend plans from all three administrations. And I am also 
pleased to report that the quality of the initial submission far ex- 
ceeded my expectation. 

Now we have some work to do. Some were better than others. 
Some had more data than needed. We will rebalance them between 
now and Christmas, but that is a financial control mechanism. 

With respect to budget and budget authority, there is a lot that 
we do in IT that is common across the Department that might be 
appropriate for central funding, such as the core of the network 
backbone, the cyber security program to protect the infrastructure, 
investment capital to modernize our computing environment to 
transform from a facility-centric environment to a network-centric 
environment. 

The eligibility and registration initiative to collapse eight proc- 
esses to one; the national contact management process to reduce 
five to one; and, perhaps, core FLS. The rest of the money, in my 
view, should remain in the administration budgets to meet mis- 
sion-specific applications and pay for the operation and mainte- 
nance of those applications unique to the administrations. 

Mr. SiSTEK. Thank you. Dr. Gauss. Mr. Chairman, I believe we 
will have some post-hearing questions along that vain. Otherwise, 
I am finished with questions. 

Mr. Buyer. Secretary, I apologize. We have three votes. I antici- 
pate the first is 15 minutes, and two 5 minute votes, so we prob- 
ably have 6 minutes to go. 

And because I have worked so hard to empower you, and I want 
to ensure that the Secretary’s commitment to the One-VA Enter- 
prise Architecture is successful, I have some questions for you. 

Mr. Gauss. Yes, sir. 

Mr. Buyer. So I am going to recess the subcommittee and recon- 
vene at 11:30. 

Mr. Gauss. Yes, sir. 

[Recess.] 

Mr. Buyer. The subcommittee will come back to order. Dr. 
Gauss, I want to ask a few questions on VETSNET, a program in 
which a lot of money has been invested. You know around here 
they like to say, “Well, it is a lot of money for pretend claims,” and 
all kinds of sour jokes. 

I mean I have no interest in beating you up. You know I could 
go through and say, “All right. How much money is spent? How is 
it benefitting the veterans?” Just can you give us a horizon here 
on VETSNET? 

Mr. Gauss. Yes, sir, I can. The development work that is left to 
complete deals with the financial module and the payment award 
module. And with those two modules complete, from a compensa- 
tion and pension perspective, VETSNET will be ready to deploy 
and move the payment of compensation and pension checks off of 
the old Legacy BDN system. 
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At the last hearing, I committed to the committee to personally 
oversee and have the product delivered, a quality product delivered 
by April of 2004. We have built a comprehensive plan following the 
hearing. And over the past 6 months, every milestone in that plan 
has been executed. 

We have a program manager assigned, who is now responsible 
and accountable for cost, schedule, and performance execution. Our 
plan included the validation and finalization of all requirements ex- 
cept for reports generation by September. That date was met. 

The date that reports are due is by Christmas. On Tuesday of 
this week, the Undersecretary of Benefits and I jointly chaired a 
review of the health of this project. And we both believe and have 
recommended to the Secretary that we continue funding into fiscal 
year 2003. 

We will hold another review in December, when the final piece 
of the requirements definition is due to complete and review the 
detailed progress of the program. The contractor is scheduled to de- 
liver the developed product in the second — ^by the end of the second 
quarter of calendar 2003. 

The reason that I want from the end of June to the beginning 
of April is to take the product, run it through a comprehensive 
functional test to be sure it meets all of its requirements, repeat 
the comprehensive stress test that was done last year, put it into 
an operational environment, and have the user community verify, 
validate that it is both effective and suitable, and at that point de- 
clare victory and ready to field. 

And I have personally gone through this schedule. The Undersec- 
retary has gone through this schedule. And we believe that realisti- 
cally we can deliver a finished product ready to deploy with quality 
by April of 2004. 

Mr. Buyer. Concerning the government computer-based patient 
records program, can you tell us what’s been accomplished and who 
is presently in charge of implementation? 

Mr. Gauss. We have worked with DOD and defined VA as the 
executive agent for the project. We have assigned — last September, 
we assigned a dedicated project manager. Last September, we held 
a review of GCPR and baselined its schedule. 

We set a second quarter of calendar year 2002 date to finish de- 
velopment and deliver the initial product. All of those dates were 
met. The first version is deployed in the field. We started deploy- 
ment on May 27, and we finished deployment on the 17th of July. 

As far as the future, we have a Memorandum of Agreement be- 
tween the Deputy Secretary at VA, and the Undersecretary for Per- 
sonnel and Readiness at DOD that maps out the future steps to be 
taken in that project. We believe that we have satisfied all of the 
recommendations that were in the June 2002 GAO report, as it re- 
lates to GCPR. 

Mr. Buyer. How is this empowerment from the Secretary 
working? 

Mr. Gauss. It has been working well. The week after the memo 
was signed, we had a conference in Austin, TX, with predominantly 
the technical community, but there were folks from the administra- 
tion headquarters present. And I can guarantee you that that 
memo got everyone’s attention. 
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And the people in the field have been most cooperative in work- 
ing with my office to do what is necessary to put the proper con- 
trols in place. It was the field that volunteered to draft the format 
for our financial execution plans. 

So they formed a team; I worked with the team, and we came 
out with a template, published it, and 2 weeks ago I received 
VHA’s spend plans that were very high in quality. I also have VBA 
and NCA’s spend plans for fiscal year 2003. Since this is a new 
process, we will work our way through some of the bugs between 
now and Christmas. 

But, overall, if you were to ask me do I know where the 2003 
money will be spent, I can tell you today I have a very good idea 
and by Christmas I will be able to tell you I know exactly where 
it is being spent. 

Mr. Buyer. Well, it appears by the editorial I read from the Fed- 
eral Computer Week, that some of your counterparts CIO’s are sort 
of jealous. They like your direct line of authority. They like your 
budgeting authority, and maybe this will become a model for other 
departments. 

So I have a question. Is it Mr. Brody? 

Mr. Gauss. This is Mr. Bruce Brody. He is our Associate Deputy 
Assistant Secretary for Cyber Security. And on my left is Dr. Frank 
Perry, who is the Chief Technology Officer, and Acting Chief Archi- 
tect. And it was Frank who led the 97 day effort to get version 1 
of the architecture complete. 

Mr. Buyer. Well, thank you for your work. 

Mr. Perry. Thank you, sir. 

Mr. Buyer. I recall from one of the hearings we had with regard 
to security of your systems, you had more of a problem from inter- 
nal than external. Is that still the case? 

Mr. Brody. Are you referring to the weaknesses of these systems 
or the accessibility of information? 

Mr. Buyer. Yes, and penetration and privacy issues. 

Mr. Brody. Generally speaking, in most government agencies the 
predominant threat is from internal users. But after September 11, 
we determined that it was the top priority of the Department to 
protect the enterprise from external attack. And that is where we 
have been focusing our attention. 

Mr. Buyer. Help me out here. Break it out. For whatever reason, 
I have this in my mind that the overwhelming concern with regard 
to security and breaches of privacy was from internal sources, and 
that was the degree of your problem. 

So have you like shifted focus to the 20 percent, and not to the 
80 percent of the problem, or is it a 60/40, 70/30? 

Mr. Brody. I am not sure of the exact percentages. What I can 
say is that in dealing with the internal threat, we have not been 
entirely negligent. We have put some controls in place. We have 
content monitoring, content filtering. We have intrusion detection 
systems. We have anti-virus and other malicious code detection 
measures in place. 

We have a robust incident response and incident management 
capability. But where we have been dedicating a tremendous 
amount of focus since September 11 has been in protecting the 
boundary of the enterprise from external attack. 
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Mr. Buyer. September 10, 2001, major issue not only in this 
committee, but also the Health Subcommittee of Ways and Means, 
several different committees of the Energy and Commerce Commit- 
tee was privacy. Privacy, that was the big issue prior to September 
11, and I just want to reinforce that. 

And, hopefully, you will place me in degree of confidence. Dr. 
Gauss, that while you work on the external, let’s not forget about 
these issues. Okay? 

Mr. Gauss. May I add something here? 

Mr. Buyer. Sure. 

Mr. Gauss. As we started to map out the blueprint of our net- 
works, we found over 200 external connections to places outside of 
VA, and over 1,000 dial in accesses into VA. And we found that 
most of them were not protected. So, from a threat perspective, it 
was the entire universe including internal at the VA that could po- 
tentially violate and compromise our information technology 
systems. 

So, from a risk management perspective, we viewed to put the 
protection on the external boundaries to reduce the threat from 
global to within VA. And, as the IG and the GAO had stated, we 
have come a long way in that external protection. And now we will 
focus on protecting against the internal threat. 

Mr. Buyer. Well, this takes me to this sentence that confused 
me. When you talked about taking — that you were systematically 
going to collapse over these 200 existing structures on page 5, can 
you help explain what you meant by this, “Concurrent to this effect 
department-wide, IDS capability will be incrementally deployed on 
a strategic basis to provide significantly increased security protec- 
tions for these gateways?” 

Mr. Gauss. Yes, sir. Mr. Chairman, I would like to apologize to 
members of the committee for the poor language that I chose in 
that sentence. 

We will be setting up a pilot in January of 2003, that will dem- 
onstrate the hardened boundaries at our data centers and to the 
external world. Once we prove that it works, we are going to put 
it at two other locations in 2003. We do not have the sizing data 
to know if the three sites will hold — can handle the capacity needed 
to support VA. 

If we find three is enough, we are done. If we find we need a 
fourth, or a fifth, or a sixth, so the intent of that sentence was 
meant to be, “We have a plan in place to put the initial capability. 
We are going to collect data, measure our ability to support the en- 
tire enterprise, and if we have to put a fourth, or a fifth, or a sixth, 
we will then do it at that time, migrate our networks into this ar- 
chitecture, disconnect the backsides, and put a very high security 
boundary from the outside, and inside where our key data is 
stored. We will then move to every facility within VA and provide 
protection everywhere.” 

Mr. Buyer. This goes to the question that I had asked the IG 
and the GAO relative to cooperations out there from vendors, com- 
panies. You have got many different forms of existing contracts, 
maintenance agreements, and the list goes on and on. So I want 
to know how cooperatively these companies are working with you 
or not working with you. 
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Mr. Gauss. In my opinion, having worked with a large contract- 
ing base in my current and prior life, I really have not seen co- 
operation levels change that much as a result of the economy, 
which was part of what your question was to the IG and the GAO. 

I am finding that I am not really seeing any change in how we 
deal with these folks. Now one of the benefits of having a chief 
technology officer is that we have somebody who can look deep into 
the technical offerings the companies are making to determine 
whether it is good stuff or not good stuff. A lot of VA’s historical 
problem is that we have bought some things we probably should 
not have. 

Mr. Buyer. Well, see, that is what we want to correct. We do not 
want all of these multiple different levels of purchases, different 
types of software. That is why we are coming to you. 

Mr. Buyer. Yes, sir. Dr. Perry, can you — one of you — be able to 
tell us about this solicitation? 

PCHS, is that what I hear it is called, this 1.2 billion solicitation? 

Can you sort of break out what you are doing here with this and 
how it fits, one of you? 

Mr. Perry. It is an enterprise-wide contract for procuring com- 
modity items and other IT specialty items. And through that it 
gives us an opportunity to gain additional controls over the acquisi- 
tion process so that from an architectural perspective, and from a 
security perspective, we can assess the worthiness of products prior 
to putting them onto that acquisition vehicle. 

And then, subsequently, whenever folks need to procure them, 
we do not have to reassess unless a new element comes along. 

Mr. Buyer. Dr. Gauss, did you want to add something? 

Mr. Gauss. One of the important benefits of PCHS II is that it 
is a multiple award contract. And I am requiring every purchase 
made on that contract to be offered to all four primes to give them 
the fair opportunity to compete for the award. And that has given 
us very good price advantage. 

So it is not just four companies who can go market their individ- 
ual wares and charge what the market will bring. We put competi- 
tion in place for every procurement. And, as Dr. Perry said, they 
were architecturally compatible. The products were architecturally 
compatible with where we head to the future. 

Mr. Buyer. But there are not very many operating systems, 
right? 

Mr. Gauss. Yes, sir. 

Mr. Buyer. I do not know how you are going to make these de- 
terminations of the least “responsive” bidder. You know if you say, 
well, we are going to go to four primes — and I am just saying I rec- 
ognize some real challenges that you may have. 

I have not always been a proponent of sole source contracting, 
but sometimes in some places there can be advantages to it. And, 
hopefully, you are exercising the good judgments. 

If I were a medical director out there, and I want to upgrade my 
systems, maybe a server or (ers), maybe printers, my desktops, can 
I do it on my own or do I have to go through you? 

Mr. Gauss. First of all, you would have to identify it in your 
spend plan. Second, we have an IRM approval process where you 
would have to request approval to do it. And, third, you would be 
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required to purchase it off the PCHS contract. Now should you 
have a requirement that is not on the contract 

Mr. Buyer. And this is going to apply to everyone? 

Mr. Gauss. Everyone. 

Mr. Buyer. So whether it is in the claims to — okay. 

Mr. Gauss. Now should you have a requirement that is not satis- 
fied by the contract, then I would entertain a waiver to use a dif- 
ferent contracting vehicle. But I expect waivers to be few and far 
between. I have granted one waiver so far since PCHS II has been 
awarded. 

Mr. Buyer. So do you envision in the future that the VA would 
have — let’s just take servers as an example. 

Mr. Gauss. Mm-hmm. 

Mr. Buyer. That you would have servers come from one particu- 
lar company, and that is who has that maintenance agreement? 

We do not have multiple agreements out there with multiple ven- 
dors. We are going to have one. 

Mr. Gauss. We have four primes on the PCHS II contract, so 
they would come from one of those four vendors. We have had proc- 
ess control over those four. 

Mr. Buyer. So you could still envision overlapping of different 
vendors, whereby, you have got some servers in use, and then a 
few years later, you might open up another solicitation and you are 
still going to end up with mixed systems? 

Mr. Gauss. Well, when you look at the basic technology of the 
server, you really have three operating systems to deal with. You 
have a Windows operating system from Microsoft; you have UNIX 
operating systems, which are kind of fading out of the market 
frankly; and you have LINUX, which is being introduced. 

Windows operating systems run on chips produced by Intel Cor- 
poration. And so, whether you buy a Dell, or you buy a Compaq, 
or you buy another brand that runs Windows, you are running on 
a chip. And what is different is some of the interface drivers for 
the different peripherals. 

I know this is getting down into the weeds, but the basic tech- 
nology is the same, be it a Dell, be it a Compaq, or be it another 
vendor. So I do not see that diversely as being a big problem. 

Mr. Buyer. As we seek to have more sharing agreements, and 
interoperability and connectivity between DOD and VA, if DOD is 
on a Microsoft system, and you are on a LINUX, would there be 
problems? 

Mr. Gauss. Let me ask Dr. Perry to address that question. 

Mr. Perry. At the network level, we could deal with those kinds 
of issues by dealing with messaging standards, and things like web 
services, to address those issues where I do have heterogenous 
platforms. 

But, in several cases. Dr. Gauss talked earlier about the registra- 
tion and eligibility. That is the second major effort that we are try- 
ing to do jointly with the Department of Defense, since when they 
register members, service members and their dependents in their 
benefit systems, that provides us with a golden opportunity to 
reuse that as an original source of information coming across. 

And what we have agreed with the Department of Defense is to 
pursue the fiscal 2004 new start that Dr. Gauss talked about for 
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a One-VA registration and eligibility system jointly with the De- 
partment of Defense. 

And, in fact, in that case, we have also agreed that we would use 
the same technology, and basically establish a single shared reposi- 
tory of personnel demographic information and bi-directional flow 
into and out of the repository from both DOD and the VA. 

Mr. Buyer. All right. When you used the term “shared" 

Mr. Perry. Shared repository. 

Mr. Buyer. Huh? 

Mr. Perry. A shared repository for personnel — personal demo- 
graphic information. Basically 

Mr. Buyer. No, that is not what my question is. When you go 
back to your comment of sharing technology with DOD, what is 
DOD’s operating system? 

Mr. Perry. Across the Department, they use many. There is 
probably one each of quite a large subset of what is out on the mar- 
ket. In specific areas such as the area that I am addressing here, 
the registra 

Mr. Buyer. Let’s take records. I mean that is where we want to 
be able to move these veterans records. If they get a medical board, 
they are medically boarded out of the military and we wanted to 
shift that over directly to the VA, if it is on a Microsoft system, 
would we want to keep it in a Microsoft system at the VA? 

Mr. Perry. What is more important than the operating system 
is standardizing the data that comes across. 

Mr. Buyer. Okay. 

Mr. Perry. Both the syntax of the data, the structure that it 
takes, and the semantic meaning of all of the data elements. And 
many of the interoperability initiatives that we are pursuing with 
the Department of Defense are in fact on standardization of data, 
so that it is not so much of an issue what operating system, or 
frankly what data repository applications on top of that, if we all 
have the same Lexicon. 

In some cases, we could go farther and actually have the same 
platform and the same applications reused. But the essential ele- 
ment is that we have shared meaning and understanding of the 
data that we exchange; and that standardization of data is sort of 
the, both necessary and sufficient condition to have interoper- 
ability. 

Mr. Gauss. From a technology standpoint, the key there is in the 
database engine. And we will be using the same database engine 
as DOD. And that will give us that interoperability to transfer the 
information once the data is standardized and formats are properly 
defined. 

Mr. Buyer. And this standardization of data, is it going well? 

Mr. Perry. Yes, it is, in the health care area that is proceeding 
fairly well. And I think setting an example to be used potentially 
more broadly than just DOD and VA. 

And, as we embark on doing the similar thing, with regard to 
personnel information, basic registration information, how to con- 
tact veterans, how to go through the process of determining their 
eligibility, we will do the same thing there, and in fact have a 
shared repository of that data with DOD. 
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Mr. Gauss. Our biggest challenge is going to be able to gain ac- 
cess to all of the DOD data that is necessary to have in VA. For 
example, not all of the data that is in the DD-214 is available from 
DMDC. So part of our work effort with DOD is to get that data 
from DOD, so we can share with it. Definitionally, I think we are 
in good shape. 

Mr. Buyer. Boy, that is one of the basics, isn’t it? A DD-214 is 
like the entry to our system. 

Mr. Gauss. Yes, sir. 

Mr. Buyer. Congratulations, how far you have come in 6 months. 

Mr. Gauss. Well, the DD-214, copy 3, unfortunately, copy 3 of 
the DD-214 is mailed to the Austin Automation Center. And the 
first time it gets digitized is when someone in VA hand jams it into 
a VA computer to create an electronic record. We have to fix this. 
When I retired, I got a letter three 

Mr. Buyer. Let me ask this question. There has got to be a 
quicker way to do that, isn’t there? 

I mean if I give you that DD-214, can’t you just have that? 

Mr. Gauss. It is a carbon copy DE)-214. 

Mr. Buyer. Say again? 

Mr. Gauss. It is carbon copy. 

Mr. Buyer. A carbon copy? 

Mr. Gauss. Yes, sir. 

Mr. Buyer. Oh. 

Mr. Gauss. We have to fix 

Mr. Buyer. It is not on a machine with vacuum tubes? You know 
this is — you know unbelievable. 

Mr. Gauss. Yes, sir. 

Mr. Buyer. Is there some worry about fraud or something as to 
why a DD-214 cannot be scanned into your system, and then sent? 

Mr. Gauss. Unfortunately, the way that the DD-214 gets filled 
out is not consistent. For example, in my DD-214, the fact that I 
served in the Vietnam Theater of Operations does not — is not re- 
flected on my DD-214. 

Mr. Buyer. And you are an Admiral. 

Mr. Gauss. Yeah, well, part of the problem is that they start 
with your most recent tour of duty, work back, and when they run 
out of space. It is a terrible process and it needs to be fixed. And 
that is in our gun sights to get fixed. 

And this effort with DMDC has a very high priority to get the 
missing data, and get it electronically, and get it from DOD elec- 
tronically, so we can start the process flow. I was appalled that it 
took 37 days for me to get a letter after I retired from the VA say- 
ing you are eligible for all of these benefits. 

And I told my staff I have good news and bad news. The good 
news is VA knows I am alive. The bad news is why did it take 37 
days? I should have had that letter on the 2nd of July. We have 
to fix this. 

Mr. Buyer. As you move, you have been empowered because you 
are the agent of change. And when you are the agent of change, 
you upset people, you upset systems. So my question is about li- 
ability exposure. 
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Should we anticipate any liability exposure from any contracts 
with any vendors in which you may be altering, amending, or 
canceling? 

Mr. Gauss. I do not see any, frankly. Very sincerely, I do not see 
any. Most of the contracts that we have in place have base years 
plus options. Failure to exercise an option does not incur a liability. 

Termination of a contract while in execution that has a term and 
a set of conditions could expose you to termination liabilities. But 
the way our contracts are right now, I do not see that. 

Now, let’s assume 

Mr. Buyer. The reason I asked the question is that we want to 
empower you so much that you make judgments for the horizon, 
not based on any particular fear of a liability. Okay? 

Mr. Gauss. Yes, sir. 

Mr. Buyer. And I want you to keep the timeliness because of the 
billions of dollars that we are laying out here. When veterans are 
in line to get in the system, and we are willing to make a commit- 
ment in billions to you or 1.2 millions for your PCHS. That is why 
we are taking time here today. 

Mr. Gauss. Yes, sir. 

Mr. Buyer. So if there is a contract out there and they say, 
“Well, I can’t do this because,” talk to us and let’s try to work coop- 
eratively here. Because I want you to keep your eye on the horizon. 
I want you to open those doors. I want you to change systems. And 
if you have got somebody that is in the way, and they are willing 
to give up their “goodwill” — okay? 

Mr. Gauss. Yes, sir. 

Mr. Buyer. They are willing to give up their goodwill, have at 
it. Okay? 

Mr. Gauss. Yes, sir. 

Mr. Buyer. Let me yield to minority counsel. I think he has one 
question. 

Mr. Sister. Thank you, Mr. Chairman. 

Earlier today, the chairman broached a question on the internal 
threat. And last April 2001, the subcommittee heard testimony on 
various types of authentication tools, public key-based digital sig- 
natures, et cetera. 

What is the Department doing today in that regard concerning 
the internal threat? And where are we going 4, 5, 6 years from 
now? 

Mr. Brody. As I mentioned earlier, we have a number of pro- 
grams in place to deal with the internal threat. They range for any- 
thing from our active monitoring of the environments, penetration 
testing, vulnerability scanning, the malicious code deployment, 
which is the largest in government. 

Mr. Sister. I think we were looking more for authentication 
tools specifically. 

Mr. Brody. On the authentication side, we have a major pro- 
gram that has not been initiated yet, but we will be wheeling out 
over the coming year, referred to as the Authentication and Au- 
thorization Infrastructure, which involves the use of public key in- 
frastructure, as well as potential smart cards and multi-factor au- 
thentication that we will deploy across the department and be used 
for authentication purposes. 
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Mr. SiSTEK. When will you have that fielded and operational 
department- wide? 

Mr. Brody. We have asked for funding in the fiscal year 2004 
budget. It has — of course, that carries with it an fiscal year 2003 
authorization. So we will he kicking that off in the very near term. 

Mr. Sister. Thank you very much, Mr. Chairman. 

Mr. Buyer. One question I have, I wrote a little note down when 
you used the term, “In 2004, I get to declare victory on VETSNET,” 
and I thought about that. I don’t know what that means. 

Mr. Gauss. Having a product, a quality product, that is ready to 
deploy into the field, so that as we roll it out and transition from 
the old system, that it is going to work, be useable, and start doing 
the job. 

When the deployment is complete, we then shut down the bene- 
fits delivery network that runs on the Honeywell, and what had 
been originally envisioned to be achieved through VETSNET would 
be achieved, albeit, later than had been planned and at a larger 
cost. 

Mr. Buyer. All right. Mr. Secretary, I want to thank you. I want 
to thank the Secretary Principi for empowering you. And I believe 
his move was the right move, in order for him to hold true to his 
vision of one Enterprise Architecture for the VA. 

I compliment you on your work that you have done here over the 
last 6 months. I will accept your sincerity, Mr. Brody, that you are 
going to watch both. And, Dr. Perry, I am impressed by your elo- 
quence. I am not a techie, but I can hang with you, which scares 
me, scares me a lot. 

This concludes the hearing. And, Secretary Gauss, thank you 
very much. 

Mr. Gauss. Thank you, sir. 

[Whereupon, at 12:22 p.m., the subcommittee was adjourned.] 
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APPENDIX 


VA restructuring 
IT management 


Move gives more power to department CIO 



BY JUO! HASSON 

D epartment of Veterans Affairs 
Secretary Anthony Princtpi has 
ordered the reorganization of in- 
formation technology operations at VA 
headquarters by centraiizir^ budget and 
management control In the chief infor- 
mation officer’s office. 

Princtpi said he ordered the changes 
because the VA had been hampered in 
carrying out plans to create ■'oneVA,”a 
pledge he made 
when he took office, 
and "time is run- 
ning out.” 

"We have a lot of 
work to do,” Principi 
told Federal Com- 
puter Week Aug, 9, 

'it’s been very clear 
to me chat this road 
b tong and difficult.” 

In an Aug. 6 
memo to key offi- 
cers, Princ^ wrote; 

“Despite our best ef- 
forts, accountability 
for our IT resources 
remains elusive, To 
get from where we 
are to where we 
need to be across all 
VA’s IT programs, we must reorganize 
how VA’s ET is managed and financed," 
There has been resistance to embrac- 
ing the agency’s enterprise architecture 
plan, Principi said.The implementation 
of cybersecurity initiatives is laggir^, and 
CIO John Gauss has not been piovided 
with ri' budget details to “develop an in- 
tegrated depaitraem IT pwrtfolJo” 
Effective immediately, the VA’s IT func- 
tions and personnel will be realigned un- 
der Gauss. Gauss also will be in chaise of 
IT appropriations beginning Oct. t. 


The changes wilt affect the three CIOs 
within the VA — K. Adair Martinez, CIO 
M the Veterans Benefits Administration; 
Gary Christopherson, CIO at the Veter- 
ans Health Administration; and foseph 
Nosari, CIO at the National Cemetery 
Administration. All three will become 
deputy CIOs reporting to Gauss. 

"■niar is the kind of support and action 
that every CIO dreams of,” said Roger 
Baker, a former CIO at the Commerce 
Depanmenc who 
tried to reorganize 
the CIO structure 
there in a similar 
fashion. “It’s a real 
tangible demonstra- 
tion that VA is very 
serious about get- 
ting much better at 
FT very quickly.” 

Although the 
changes won’t have 
an immediate im- 
pact on op>erations 
at more than 150 VA 
hospitals, Gauss is 
holding a meeting 
Aug. 12-15 tti 
Austin, Texas, for 
almost 300 VA IT 
employees to dis- 
cuss the new structure and future 
change. 

In a separate memo. Gauss told all IT- 
persorme! th^ there would be “no job loss 
due to reorganization.’’ 

“Change doesn't necessarily need to be 
slow and ponderous," said Alan Balutis, 
executive director of the Federation of 
Government Information Processing : 
Councils. “I don’t think there’s ^ryihii^ 
wrong with going in sometimes and 
breaking a little china to achieve some 
results.”* 


VA bolsters 
IT security 

BY JUDI HASSON 

T he Department of Veterans Af- 
fairs has embarked on an innov- 
ative cybersecuricy approach that 
could serve as a model for other fedeiil 
agencies. 

A consortium of five high-tech com- 
panies, known as the VA Security Team 
(VAST), began work Aug. i protecting 
the VA’s entire network, from hospitals 
to cemeteries to medical and insurance 
records. 

Tlie VA awarded the consortium a con- 
tract potentially worth *103 million over 
II years for the VA’s Computer Incident 
I Response Capability. 

“Were the second-largest federal gov- 
ernment computing enterprise,” said 
Bruce Brody, the VA’s cybersecurity chief. 
“The magnitude of our enterprise alone 
makes it a target of malicious intent.” 

The VA has long been a target of hack- 
ers. Since January, VA computer systems 
have blocked more than i million virus 
attempts. And a private auditing firm 
hired by the VA’s inspector general easi- 
ly broke into computers at the agency 
and gained control of the data. 

In March 2001, Brody was hired as the 
associate deputy assist^c secretary for 
cybersecurity to fix the problems. 

Brody said VAS'f would be handling 
incident analysis, man^ment and re- 
sponse for the VA's nationwide system, 
which will include dealing with vulner- 
abilities and computer forensics. 

In addition, the consortium will be 
handling managed security services 
nationwide that will be “mandatory for 
every hosfMtai.” 

Sectirelnfo Corp., a San Antonio-based 
cybersecurity company that has done 
similar work for the Defense Depart- 
ment, is leading the consortium to de- 
tect and respond to threars and real-time 
incidents around-the-ciock. 

Other consortium members include 
Applied Engineei ing Management Corp.. 


28 


EDITORIAL 


COMMENT 


FEDERAL COMPUTER WEEK 


EQITOR IN CHiEf 
Allan Holmes 
aholmts^fcv.cotn 


' ART DIRECTOR 

JeftLangkau 
]la»^u 0 fcwc«m 

: UAHACIHO EDITOR 
. u ' CQHeen O'Hara 

■ : e)uin 0 fi:^Jom ■ 

TKHNOLOCf EWTOH 
i.v.-'. .'^BulreBYasin 

’ - . v.:;'V' 'jyflsiii#yfw.c(»n 

... SENIOR EDITORS 

Chrlstopher-J. Oorobek John Zyslrawskl 


. :'i -.‘lit/ .■■■: ATUROC 

Jwh Hasson 
jAdsSon#^.ra)n 

SOIK» WRITER 
WUHam Matthews 
bnuiihcwsW/ni'.com 

SENUH) RERORTERS 

Oan Catcfiniechia ' Diane Frank 

danc^fcv.om ttfiank^fcvxom 

Dibya Sarkar 
■■■■■.r . dsatiartfiv.eem 


~ RRoaucnoN 
. v CDIIOR 
' iVrl J. Hack 


ASSOCIATE ART 
OtRECTOR 
.Susan Morrison 


.;<»>Ry EOtTORS CRAPHIC OESI6NCR 

AAtandSHcClamaMs AHIsonCusato 

..':'PRtricl«Tis8li 
. ■ ;ehTlS Wfl9ht 


•if''' -‘v, ■ • ■ FCW.«>M 

MANACINC EDITOR. ONLINE 

--- ONUNC PRODUCER 

.V Diana ihfflasik LIsaLMcNak 

-JtomasikW^.aM tmciuiir0jiw.com 


FCW TEST CENTER 

; REVIEWS EDITOR SENIOR WRITER 

, - Rilrlek MarshaB reviews 

pgmarshtai^pgmanhall.iui Michtffa Speir 
mspar0fcwxom 


! .fCWISAPOBLICATiONW 
. tOCOMMUMCATIONS U£ 

3141 FAIRV1EW PARK DRIVE. SUITET77 
FAILS CHWSCTI, VA 2ZWM507 
ami BK-SMO; FAX 003) aTS-SQO 
SUBSCRIBE ONLPK AI WWKSUBMACXOMAUe/rW 
CWIPOBAtt HEADOUARIERS 
. . . ' 9I210AKDALE AVCINjE..SUirE KH 

CHATSWMITH. capon 

VI TtKlwjiiiri.iMajifwJiaalif/jiiiNMFapsj 


MANAGEMENT 

The rise of the CIO 


T his month marks the sixth an- 
niversary of the Clinger-Cohen 
Act of 1996, which established 
the position of chief infornnatton offi- 
cer at federal agencies. It’s been a dis- 
appcHHUng six years, durii^ which frus- 
(ration has increased among CIOs as 
they struggle to earn clout with agen- 
cies’ senior management circles and 
help use information techneJogy to sup- 
port business process change. 

But times are changing. 

Anthony Princlpi, secretary of the De- 
partment of Veterans Affairs, has given 
John Gauss, the agency’s CIO. IT budget 
and management control. The reason. 
Principi said, was because many in the 
agency were resistir^ the VA's enteiprise 
architecture plan and the cybersecurity 
initiatives, which are aimed at plugging 
holes inVA information systems. Such 
authority is what one former federal 
CIO called “a dream” for 
anyone in that position. 

Traditionally, that’s 
where this kind of au- 
thority has been — in 
CIOs’ dreams. These re- 
sponsibilities are exactly 


what CIOs and their supporters have 
been calling for since the Clinger-Cohen 
Act was signed into law Aug. 8, 1996. 
Without the resources or authority to 
affect buying or management decisions, 
CIOs have been caught between a rock 
and a hard piace. 

Federal management experts have 
said what was needed was a commit- 
ment from the top — the agency head. 
Principi stepped up to give his agency’s 
CIO authority and, in doing so, shows 
other agency secretaries what needs to 
be done. It is a bold move, and one that 
is sorely needed. 

Principi understands that IT will help 
transform the VA. He also understands 
that he must place a lot of the responsi- 
bility for reforming the agency in the 
hands of the CIO. Many agencies should 
watch for how this management story 
unfolds. Of course, not all decisions will 
be the right ones, but giving 
the CIO the space to succeed 
or fail on his or her own 
terms is a good place ro start. 
Principl’s decision will like- 
ly result in a more effective, 
streamlined and secure VA. ■ 
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MANAGEMENT 


IBRIEFING 


VA spruces up security act 


Agency tightens 
system, personnel 
management 


BY JUDi HASSON 

O nly i8 months ago, the Depart- 
ment of Veterans Affairs re- 
ceived a failing grade for its cy- 
bersecurity efforts. 

Reports from the inspector general’s 
office criticized the agency for failing 
to protect its computer environment. 
Congress was up in arms over disclo- 
.sures that it was a cakewalk to hack 
the VA’s systems. Arwi VA officials did 
;not even know how many renegade 
■gateways had been set up to get into 
the VA computer system. 

In a remarkably short period of 
time, the VA has cleaned up its act. 

"When I got here, this place — cy- 
bersecurity — • was pretty chaotic,” 
said Bruce Brody, the VA's cyber- 
sec\»rity chief since March 2001. 
?Thei e was nothing but bad news.” 
i But Brody had some strong sup- 
jxiners who resolved to fix the prob- 
lem. Backed by VA Secretary Antho- 
ny Principi, who has promised to 
create one VA, and chief information 
officer John Gauss, Brody has made 
changes that are becomir^ the mod- 
el for other agencies facing cyber- 
security threats. 

“With the support of the secretary ^ 
and the leadership of the CIO and his 
team, we have come a long way,” Brody 
said. "But much remains to be done, and 
we are working very hard to do it." 

It is no easy task. There are more than 
200 uiuuchorized and unprotected gate- 
ways into the VA’s central cyber infra- 
structure, built by employees in the field 
with no authority to do so. It was ’‘un- 
controlled.” Brody said. And VA officials 
had no idea how big VA cyberspace was. 
"They sprouted like a thousand flow- 


ers booming” Brody said. "There was no 
consistent security policy. Wherever 
someone wanted a gateway, there was a 
gateway,” 

The VA launched the Enterprise 
Cyber Security Infrastructure Project to 
find the gateways and secure them. In 
the next two years, the VA will create 
standardized hardened gateways that 
will be centrally mare^^ and monitored 
by VA security operatiorts centers. 

In October, theVA will begin closing 
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down the unauthorized gateways. In the 
meantime, the cybersecurity office is re- 
quirir^ tighter firewalls and periodic test- 
ing to make sure hackers cannot get in. 

“By September 2004, there wdll only 
be a single-digit number of exit gate- 
ways...and no other external connec- 
tions,” Brody said. 

Gateways aren’t the only prt^Iem 
within the VA, although it has been one 
of the bluest headaches. The agency has 
worked to develop a cutting-edge enter- 


prise architecture plan and standardize 
programs throughout its network, which 
reaches more than 160 hospitals. Last 
month, the VA awarded a contract to 
manage its nationwide security services 
around the clock. It is puttmg a nation- 
al virtual private network in place in Oc- 
tober. The VPN will enable the agency ro 
encapsulate, encrypt and then send dau 
to a specific destination. 

“Veterans records are more secure thsm 
they have been in the past,’’ Brody said. 
“They are not as secure as they will 
be in the future." 

Matt Roland of Gartner Inc., a 
market research firm, said that good 
information technology security is a 
property of an environment, not the 
property of a product or technology. 

“A lot of organizations focused on 
deploying firewalls and antivirus soft- 
ware," he said “Now there is an in- 
creased emphasis on establishing 
management processes around these 
technologies.” 

It appears the VA has turned a cor- 
ner. In August, Principi cortsolidated 
IT management and budget func- 
tions under the CIO, a move that 
Congress has sought for seven yeaiis. 
The order also consolidates cyber- 
security functions, which includes 
centralizing the $50 million cyb^jvi 
security budget In Brody's office. 

An Wu, staff director of the House 
Veterans’ Affairs Committee's Over- 
sight and Investigations Subcom- 
mittee, said the VA’s actions should “ex- 
pedite and facilitate VA’s compliance 
under" the Government Information 
Security Reform Act. 

The VA is “definitely on the right 
crack," according to Shannon Kello^, vice 
president for information security pro- 
grams at the IT Association of America. 

The agency is looking at security in a 
“holistic fashion, a multi-tiered process,” 
and that makes all the difference, Kei- 
logg said. ■ 
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VA’S INFORMATION TECHNOLOGY SECURITY PROGRAM 
TESTIMONY OF 

THE HONORABLE RICHARD J. GRIFFIN 
INSPECTOR GENERAL 
OFFICE OF INSPECTOR GENERAL 
DEPARTMENT OF VETERANS AFFAIRS 

HOUSE COMMITTEE ON VETERANS’ AFFAIRS 
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS 

September 26, 2002 

Mr. Chairman and Members of the Subcommittee, I am here today to report on our 
findings concerning the Department of Veterans Affairs’ (VA) Information Technology 
(IT) security program. Our work continues to identify serious Department-wide 
vulnerabilities in IT security. As a result, we eoncluded from our audit results that the 
Department must continue to designate information security as a material weakness area 
imder the Federal Manager’s Financial Integrity Act (FMFIA). 

Since our March 13, 2002 testimony to this Subcommittee, we completed a second 
national audit of VA’s IT security program. A draft report has been provided to the 
Department for review and comment. The audit found that the Department has a number 
of initiatives in process that will provide the opportunity to improve VA’s information 
security posture. 

Key Department actions include: 

• Establishment of a VA-wide security plan; and the required policies, procedures, and 
guidelines mandated by the Government Information Security Reform Act (GISRA). 

• Implementation of VA-wide anti-virus protection. 

• Staffing information security officer positions. 

• Prioritization of Department-wide security remediation efforts. 

• Centralization of the Department’s IT security program under the Office of the Chief 
Information Officer (CIO). 

While progress has been made, much work remains to implement key IT security 
initiatives, establish a comprehensive integrated VA-wide security program, and fully 
comply with GISRA. Our audit work continues to identify significant security 
vulnerabilities that represent an unacceptable level of risk to VA operations and its 
mission of providing healthcare and delivering benefits to the Nation’s veterans. 
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Significant information security vulnerabilities continue to place the Department at risk 
of; 


• Denial of service attacks on mission critical systems. 

• Disruption of mission critical systems. 

• Unauthorized access to and improper disclosure of data subject to Privacy Act 
protection and sensitive financial data. 

• Fraudulent payment of benefits. 

Penetration Tests Showed That VA Systems Need To Be Better Protected 

Penetration testing completed during the past 2 years verified that VA’s automated 
systems could be exploited to gain access to sensitive veteran healthcare and benefit 
information. In response to last year’s testing, the Department strengthened security 
controls at the facilities where we conducted our testing. During this year’s follow up 
testing at these sites, the security control measures established prevented our external 
penetration attempts (access to systems from outside of VA’s network.). VA must 
implement external automated system protection measures Department-wide to 
adequately protect its systems and sensitive data. 

Continuing automated system control vulnerabilities allowed our internal penetration 
testing (access to systems from inside of VA’s network) to gain access to sensitive 
veterans’ benefit and healthcare information. 

The vulnerabilities exploited during this year’s testing were present during our previous 
testing a year ago. The Department has not taken appropriate corrective action to 
eliminate these vulnerabilities in response to our initial findings. The nature and number 
of vulnerabilities found warrant immediate attention to reduce the significant exposure 
and high risk of an interna! attack. 

Industry experience shows that the risk of inappropriate access by employees/contractors 
is highest inside of the network. We have again provided the Department with the details 
of this year’s penetration testing results and recommendations on how the vulnerabilities 
could be corrected. 

VA’s CIO Needed Expanded Authority Over Security Remediation Efforts 

This year’s security audit has shown that VA needs to take additional actions to correct 
information security vulnerabilities. VA’s overall weak cyber security posture continues 
to be unacceptable and is reported as a Department material weakness. In our view, 
VA’s overall security posture is one of the results of a lack of a unified or “One-VA” 
approach to information security that has lead to an ineffective approach to the 
implementation of necessary security improvements across the Department. 
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The Department’s Administrations and staff offices have individually managed and 
controlled their information security program activities. Our security assessment results 
show that this decentralized management approach has not worked, with a continuing 
unacceptable security posture for the Department as a whole. Many security 
vulnerabilities identified in last year’s audit remain unresolved, and additional security 
vulnerabilities were identified. With the exception of certain information technology 
acquisitions, the Department CIO did not have the authority to assure that the 
Department’s security remediation efforts are completed. The decentralized management 
approach to information security management impeded the Department’s ability to 
successfully strengthen its overall security posture. 

We met with the Department CIO on July 22, 2002, and advised that we would be 
recommending that the Department centralize authority for the implementation of 
security remediation efforts to his office. This centralization of authority would include 
management and decision authority on all Department security remediation efforts. We 
had previously recommended centralized oversight in our prior year audit. On August 6, 
2002, the Secretary of Veterans Affairs issued a memorandum centralizing the 
Department’s IT security program, including authority, personnel, and funding in the 
Office of the Department CIO, effective October 1, 2002. 

We believe that the Secretary’s action will provide the opportunity to implement a “One- 
VA” approach to information security with implementation of necessary security 
improvements across the Department. 

Department CIO Needs To Take Corrective Action In Several Key Areas 

Based on the results of our second annual audit of VA’s IT security program, we 
recommended that the Department CIO take the following actions: 

• Complete priority security remediation efforts in the next 12 months for the following 
areas: (1) install intrusion detection systems nationwide; (2) complete infrastructure 
protection actions; (3) complete data center contingency planning; (4) complete 
certification and accreditation of VA systems; (5) upgrade/terminate external 
connections; (6) improve configuration management of VA systems; (7) move the 
location of the VA Central Office (VACO) data center; (8) eliminate vulnerabilities in 
the application program/operating system change controls; and, (9) control physical 
access to computer rooms. Budgetary resources necessary to accomplish the priority 
security remediation efforts should be requested. 

• Require the Administrations to: (1) correct identified security vulnerabilities at their 
facilities and data centers; (2) improve security awareness at the operating levels; and, 
(3) highlight the need to assure compliance with existing VA information security 
policy, procedures, and controls. 
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• Require the Administrations to certify completion of the remediation of information 
security vulnerabilities identified by the audit and provide aimual facility certification 
of compliance with VA security policy, procedures, and controls. 

• Establish skill levels and training requirements for Department information security 
staff to assure that they are capable of effectively performing their assigned duties. 

• Implement VA-wide policy for effective monitoring of network operations to include 
use of electronic scanning and penetration testing techniques. 

• Establish a national clearinghouse in the Office of Cyber Security for identifying and 
distributing information on security patch upgrades/fixes that need to be 
implemented. 

• Assure that the GISRA reporting database accurately reflects the status of completed 
Department security remediation actions. 

• Address the areas of non-compliance with GISRA, Office of Management and 
Budget (0MB) Circular A- 130, Appendix III, and Presidential Executive Order 
13231 on critical infrastructure protection requirements. 

Conclusion 

VA needs to take additional actions to establish necessary security controls to proactively 
identify and prevent information security related risks and implement corrective action. 
As reported in our Fiscal Year (FY) 2001 information security audit and based on the 
work completed during the FY 2002 audit, VA still has not effectively implemented all 
planned security measures and has not assured compliance with established security 
polices, procedures, and controls requirements. 

This concludes my testimony. I would be pleased to answer any questions that you and 
the members of the subcommittee may have. 
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Committee <m Veterans' Afl^irs, House of Representatives 


Why GAO Did This Study 
In March of this year, GAO 
testified before the 
Subcommittee about the 
Department of Veterans Affairs’ 
(VA) information technology (IT) 
program, and the strides that 
Secretary had made in improving 
departmental leadership and 
management of this critical area- 
including the hiring of a chief 
information officer. 

At the Subcommittee’s request, 
GAO evaluated VA’s new IT 
organizational structure, and 
provided an update on VA's 
progress in addressing other 
specific areas of IT concern and 
our related recommendations 
pertaining to 

■ enterprise architecture, 

■ information security, 

■ the Veterans Benefits 
Administration’s replacement 
compensation and pension 
payment s^tem and 
maintenance of the Benefits 
Delivery Network, and 

■ the government computer- 
based patient record 
initiative. 


What GAO Found 

Since our March testimony, VA has made important progress in its 
overall management of information technology. For example, the 
Secretary’s decision to centralize IT functions, programs, and 
funding under the department-level CIO holds great promise for 
improving the accountability and management of IT spending- 
currently over $1 billion per year. But in this as well as the otiier 
areas of prior weakness, the strength of VA’s leadership and 
continued management commitment to achieving improvements 
wiU ultimjdely detennine the department’s degree of success. As 
for its progress in other areas: 

■ Enterprise architecture. The Secretary recently ^proved the 
initial, “as is" version of this blueprint for evolving its 
information systems, focused on defining the department’s 
current environment for selected business functions. VA stiH, 
however, needs to select a permanent chief architect and 
establish a program office to facilitate, manage, and advance 
this effort 

■ Information security. Steps have been taken that should help 
provide a more solid foundation for detecting, reporting, and 
responding to security incidents. Nonetheless, the department 
has not yet fijUy implemented a comprehensive computer 
security management program that includes a process for 
routinely monitoring and evaluating the effectiveness of 
security policies and controls, and acting to address identified 
vulnerabilities. 

• Compensation and pension payment system. While some 
actions have been taken, a^r more than 6 years, full 
implementation of this system is not envisioned before 2005; 
this means that the 3.5 rnillion payments that VA makes each 
month will continue to depend on its present, aging system. 

■ Government computer-based patient record initiative. VA and 
the Department of Defense have reported some progress in 
achieving the capability to share patient health care data under 
this program. Since March, the agencies have formally renamed 
the initiative the Federal Health Information Exchange and 
have begun implementing a more narrowly defined strategy 
involving a one-way information transfer firom Defense to VA; a 
two-way exchange is planned by 2005. 


Thia is a test for developing highlights for a GAO report, llte full testiniony, including GAO's objectives, scope, methodology, and analysis, is 
available at www.gao.gov/'cgi-bin/getTpt?GACM)2-I054T. Fen- additional infonnation about the testimony, contact Joel C. Willemssen (202-512-^53) or at 
wiJ]wnsseiV®gao.gov. To provide conunenta on this test lu^dights, contact Keith Fultz (202-512-3200) or email MlgtUightsTest@gao.gov. 
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Mr. Chairman and Members of the Subcommittee: 

Thank you for inviting us to take part in your discussion of the Department of Veterans Affairs’ 
(VA) information technology (IT) program. Information technology continues to play an 
integral and substantial role in helping VA effectively serve our nation’s veterans, with the 
department spending more than a billion dollars annually in support of its information 
technology operations. As you are well aware, however, the department has been challenged in 
its efforts to effectively manage its information technology to produce results and achieve 
optimal agency performance. 

Our testimony last March noted important strides by the Secretary of Veterans Affairs to 
improve the department’s IT leadership and management, including the hiring of a chief 
information officer (CIO) to lead the program and a commitment to reform how the department 
uses information technology.' Since that time, the Secretary has taken additional steps toward 
achieving improvements in key areas of IT performance, including recently announcing a 
realignment of the way in which the department is organized to carry out its information 
technology mission. 

At your request, we will discuss today this new organizational structure and resulting changes in 
the role of VA’s CIO. In addition we will provide an update of the department’s progress since 
March in addressing specific weaknesses in its overall information technology program, 
including the status of its actions to 

• develop an enterprise architecture, 

• improve information security, 


*U.S. General Accounting Office, Progress Made, but Continued Management Attention Is Key to Achieving 
Results, GAO-02-369T (Washington, D.C.; Mar. 13. 2002). 
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• implement the Veterans Benefits Administration’s (VBA) veterans service network 
(VETSNET) replacement compensation and pension payment system and maintain the 
existing Benefits Delivery Network, and 

• implement jointly with the Department of Defense and Indian Health Service the 
government computer-based patient record initiative. 

In conducting this work we analyzed relevant documentation and interviewed key agency 
officials to identify and assess VA’s decisions and actions since March to improve its 
information technology management. We reviewed available documentation discussing the 
department’s plans and strategies for realigning its information technology stracture. We also 
examined its enterprise architecture strategy as well as steps being taken to strengthen computer 
security management departmentwide. Further, we conducted site visits at the Veterans 
Benefits Administration’s regional office in Salt Lake City to assess the ciurent use of 
VETSNET in processing compensation and pension benefits claims; and at the VA medical 
center in Washington, D.C., to observe data retrieval capabilities of the Federal Health 
Information Exchange (formerly the government computer-based patient record initiative). We 
performed our work in accordance with generally accepted government auditing standards, in 
August and September of this year. 

RESULTS IN BRIEF 


Over the past 6 months, VA has shown clear progress in addressing some of the critical 
weaknesses that have plagued its management of information technology. The Secretary of 
Veterans Affairs and other top agency leaders have continued to make important strides in 
improving key areas of IT performance. Nonetheless, some aspects of the department’s 
information technology environment continue to be particularly challenging and to require 
substantial management attention. As the department proceeds, ensuring sound project 
management and oversight will continue to be essential to advancing its efforts. 


2 


GAO-02-1054T 



38 


Accountability for its information technology investments should be well served by VA’s 
recently araiounced realignment of its information technology structure. Although yet to be 
finalized, the Secretary’s decision to centralize information technology functions, programs, and 
funding under the department-level CIO shows promise for improving IT accountability and 
enabling the department to implement its One VA vision.^ The additional oversight afforded the 
CIO could have a significant impact on the department’s ability to more effectively captine and 
manage its IT spending. 

Beyond its actions to establish greater accountability in this area, the department continues to 
make important progress in developing its departmentwide enterprise architecture — ^the blueprint 
for evolving its information systems and developing new systems that optimize their mission 
value. The Secretary recently approved the initial version of VA’s enterprise architecture, 
focused on defining the department’s current, “as is” and desired, “to be” target environments for 
selected business functions. Nonetheless, VA must still accomplish critical actions to ensure 
successful completion of its architecture. For example, to achieve a sound program management 
structure, it needs to select a permanent chief architect and establish a program office to 
facilitate, manage, and advance this effort. 

In another critical area, the department continues to make progress in strengthening its 
information security. It has taken actions that should help provide a more solid foundation for 
detecting, reporting, and responding to security incidents. Among these actions, it has contracted 
to expand departmentwide incident response and analysis capabilities, including enhancing 
security monitoring and detection. Nonetheless, the department has not yet fully implemented a 
comprehensive computer security management program that includes a process for routinely 
monitoring and evaluating the effectiveness of security policies and controls and addressing 
identified vulnerabilities. Further, VA’s offices self-report computer security weaknesses, and it 
lacks an independent component to ensure the accuracy of reporting and validation of corrective 
actions taken. 


^According to the departnient, the “One VA” vision describes how it will use information technology in versatile 
new ways to improve services and enable VA employees to help customers more quickly and effectively. It stems 
from the recognition that veterans think of VA as a single entity, but often encounter a confusing, bureaucratic maze 
of uncoordinated programs that put them through repetitive and frustrating administrative procedures and delays. 
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Conversely, the department is not making as much progress in addressing the challenges 
associated with implementing its VETSNET compensation and pension replacement payment 
system. Specifically, after more than 6 years, the department still has significant work to 
accomplish, and could be several years from fully implementing the system. Complete 
implementation is not anticipated until 2005, thus requiring continued reliance on the aging 
Benefits Delivery Network to provide the more than 3.5 million payments that VA must make to 
veterans each month. 

Finally, VA and DOD have made some progress in achieving the capability to share patient 
health care data begun under the government computer-based patient record (GCPR) initiative. 
This progress was achieved as part of a substantially revised, scaled-down strategy. As part of 
this new strategy that the two agencies have now implemented, clinicians in VA medical 
facilities throughout the country have access to health information on more than a million 
separated service persormel. 

IT REALIGNMENT INCREASES 
AUTHORITY AND OVERSIGHT OF 
VA’s CHIEF INFORMATION OFFICER 


Successful implementation of VA’s information technology program requires strong leadership 
and management to help define and guide the department’s plans and actions. The Paperwork 
Reduction Act of 1980 and the Clinger-Cohen Act of 1996^ articulate the importance of CIOs in 
promoting improvements in their agencies’ work processes and making sound investment 
decisions that effectively align IT projects with the organization’s business planning and 
measurement processes. To be successful in this role, CIOs must build credible organizations 
and develop and organize information management capabilities to meet agency mission needs. 

With the hiring of a department-level CIO in August 2001, VA took a significant step toward 
addressing critical and longstanding weaknesses in its management of information technology. 
Our prior work has highlighted some of the challenges that the CIO faced as a result of the way 


^44 U.S.C. 3506 and P.L. 104-106, Section 5125, respectively. 
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in which the department was organized to carry out its information technology mission."' Among 
these challenges was that information systems and services were highly decentralized, with the 
VA administrations and staff offices controlling a majority of the department’s information 
technology budget. As illustrated in figure 1, out of the approximately $1.25 billion fiscal year 
2002 information technology budget, the Veterans Health Administration (VHA) oversaw 
approximately $ 1 .02 billion, VBA approximately $ 1 58.3 million, and the National Cemetery 
Administration (NCA) approximately $5.87 million. The remaining $60.2 million was 
controlled at the department level. 

Figure 1 : Breakdown of VA’s $ 1 .25 Billion Information Technology Budget (fiscal year 20021 



Source: GAO analysis. 


In addition, our testimony in March noted that there was neither direct nor indirect reporting to 
VA’s cyber security officer — the department’s senior security official — ^thus raising questions 
about this person’s ability to enforce compliance with security policies and procedures and 
ensure accountability for actions taken throughout the department. The more than 600 


U.S. General Accounting Office, VA Information Technology: Important Initiatives Begun, Yet Serious 
Vulnerabilities Persist, GAO-0I-550T (Washington, D.C.: Apr. 4, 2001) and GAO-02-369T. 
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infomation security officers in VA’s three administrations and its many medical facilities 
throughout the country were responsible for ensuring the department’s information security, 
although they reported only to their facility’s director or to the chief information officer of their 
administration. 

Given the large annual funding base and decentralized management structure, it is crucial that 
the CIO ensure that well-established and integrated processes for leading, managing, and 
controlling investments are commonplace and followed throughout the department. The 
Secretary has recognized weaknesses in accountability for the department’s information 
technology resources and the consequent need to reorganize how information technology is 
managed and financed. Accordingly, in a memorandum dated August 6, 2002, he announced a 
realignment of the department’s information technology operations. According to the 
memorandum, the realignment will centralize information technology functions, programs, 
workforce personnel, and funding into the office of the department-level CIO. In particular, 
several significant changes are being made: 

• The CIOs in each of the three administrations — VHA, VBA, and NCA — ^have been 
designated deputy CIOs and will report directly to the department-level CIO. Previously, 
these officials served as component-level CIOs who reported only to their respective 
administrations’ undersecretaries. 

• All administration-level cyber security functions have been consolidated under the 
department’s cyber security office, and all monies earmarked for these functions have been 
placed under the authority of the cyber security officer. Information security officers 
previously assigned to VHA’s 21 veterans integrated service networks will now report 
directly to the cyber security officer, thus extending the responsibilities of the cyber security 
office to the field. 

• Beginning in fiscal year 2003, the department-level CIO will assume executive authority 
over VA’s IT appropriations. 
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The realignment had not been finalized at the conclusion of our review, thus its full impact on 
VA’s mission and the CIO’s success in managing information technology at the department level 
could not yet be measured. Nonetheless, in pursuing these reforms, the Secretary has 
demonstrated the significance of establishing an effective management structure for building 
credibility in the way information technology is used, and has taken a significant step toward 
achieving a “One VA” vision. 

The Secretary’s initiative also represents a bold and innovative step by the department, and is 
one that has been undertaken by few other federal agencies. For example, as part of our review, 
we sent surveys to the 23 other major federal agencies, seeking information on the organization 
and reporting relationships of their department- and component-level CIOs. Of the 17 agencies 
that responded, 8 reported having component-level CIOs, none of which reported to the 
department-level CIO. Only one agency with component-level CIOs reported that its 
department-level CIO had authority over all IT funding. 

As the realignment proceeds, the CIO’s success in managing information technology operations 
will hinge on effective collaboration with business counterparts to guide IT solutions that meet 
mission needs. Guidance that we issued in Febmary 2001 on the effective use of CIOs in several 
leading private and public organizations provides insight into three key factors contributing to 
CIO successes: 

• First, senior executives embrace the central role of technology in accomplishing mission 
objectives and include the CIO as a full participant in senior executive decision-making. 

• Second, effective CIOs have legitimate and influential roles in leading top managers to apply 
IT to business problems and needs. While placement of the CIO position at an executive 
management level in the organization is important, effective CIOs earn credibility and 
produce results by establishing effective working relationships with business unit heads. 

• Third, successful CIOs structure their organizations in ways that reflect a clear understanding 
of business and mission needs. Along with business processes, market trends, internal legacy 
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structures, and available IT skills, this undrastanding is necessary to ensure that the CIO’s 
ofSce is aligned to best serve the needs of the enterprise.* 

VA’s new organizational structure holds promise for building a more solid foundation for 
investing in and improving the department’s accountability over information technology 
resources. Specifically, under the realignment the CIO assumes budget authority over all IT 
appropriations, including authority to veto proposals submitted from sub-department levels. This 
could have a significant effect on VA’s accountability for how components are spending money, 
as we have previously noted the department’s inability to adequately capture all of its IT costs.® 

As the first step toward gaining accountability for information technology investments, the CIO 
is attempting to determine what expenditures have been incurred in fiscal year 2002. Since VA’s 
annual budget submissions to OMB have not included a specific line item for information 
technology operations, the CIO has asked each administration to provide accurate information 
identifying the costs incurred by each of them for this fiscal year. According to the CIO, 
preliminary results showed that certain non-IT costs, such as for users’ personnel, had been 
included in the total expenditures, while some IT costs, such as for IT personnel and 
telecommunications, had been excluded. The CIO’s goal is to compile cost data that accurately 
reflect the department’s information technology expenditures. 

In the absence of a budget line item, the CIO is requiring each facility to develop “spend plans” 
for fiscal year 2003 IT funding. These plans are expected to serve as a control mechanism for 
information technology expenditures during the year and will be administered by each facility, 
with the CIO retaining veto power over them. The plans have been designed to provide the CIO 
with investment cost details at a departmentwide level, allowing for a portfolio-based project 
selection process and lessening duplication of effort. Once the plans are implemented, the CIO 


’U.S. Genera! Accounting Office, Maximizing the Success of Chief Information Officers: Learning From Leading 
Organizations, GAO-01-376G (Washington, D.C.: February 2001). 

® U.S. General Accounting Office, VA Information Technology: Progress Continues Although Vulnerabilities 
Remain, GAO/T-AIMD-00-32 1 (Washington, D.C.: Sept. 21, 2000). 


8 


GAO-02-1054T 



44 


anticipates being ab!e to compare planned and actual expenditures and to uncover the details of 
specific projects. 


PROGRESS TOWARD DEVELOPING AN 
ENTERPRISE ARCHITECTURE CONTINUES. 
BUT ADDITIONAL WORK NEEDED 


Developing and implementing an enterprise architecture’ to guide VA’s information technology 
activities continues to be an essential and challenging undertaking. VA and other federal 
agencies are required to develop and implement enterprise architectures to provide a Ifamework 
for evolving or maintaining existing and planned IT, in accordance with OMB guidelines.* In 
addition, guidance issued last year by the Federal CIO Council,’ in collaboration with us, further 
emphasizes the importance of enterprise architectures in evolving information systems, 
developing new systems, and inserting new technologies that optimize an organization’s mission 
value. Overall, effective implementation of an enterprise architecture can facilitate VA’s 
management by serving to inform, guide, and constrain the information technology investment 
decisions being made for the department, and subsequently decreasing the risk of buying and 
building systems that are duplicative, incompatible, and unnecessarily costly to maintain and 
interface. 

As depicted in figure 2, the enterprise architecture is both dynamic and iterative, changing the 
enterprise over time by incorporating new business processes, new technology, and new 
capabilities. Depending on the size of the agency’s operations and the complexity of its 
envirorrment, enterprise architecture development and implementation require sustained attention 
to process management and agency action over an extended period of time. Once implemented, 
the enterprise architecture must be kept current through regular maintenance. 

’An enterprise architecture is a blueprint for systematically and completely defining an organization’s current 
(baseline) operational and technology environment, and a roadmap toward the desired (target) state, it is an 
essential tool for effectively and efficiently engineering business processes and for in^lementing their supporting 
systems and helping them evolve. 

®OMB, Management of Federal Information Resources, Circular A-130 (Washington, D.C.: Nov. 30, 2000). 

’Chief Information Officer Council, A Practical Guide to Federal Enterprise Architecture, Version 1 .0 
(Washii^on, D. C.: February 2001). 
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Periodic reassessments are required to ensure that it remains aligned with the department’s 
strategic mission and priorities, changing business practices, funding profiles, and technology 
innovation. 


Figure 2: The Enterprise Architecture Process 



Source: A Practical Guide to Federal Enterprise Architecture, Version 1 .0, 2001 


When we testified last March, VA had taken a number of promising steps toward establishing 
some of the core elements of an enterprise architecture. Among other actions, it had obtained 
executive commitment from the Secretary, department-level CIO, and other senior executives 
and business teams that is crucial to raising awareness of and leveraging participation in 
developing the architecture. VA had also chosen a highly recognized framework to organize the 
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structure of its enterprise architecture. Further, it had begun defining its current architecture, 
an important step for ensuring that future progress can be measured against such a baseline, and 
it was developing its future (target) telecommunications architecture. 

Nonetheless, at that time we noted that VA still faced many more critical tasks to successfully 
develop, implement, and manage its enterprise architecture. One of the key activities that 
required attention was the establishment of a program management office headed by a permanent 
chief architect to manage the development and maintenance of the enterprise architecture. In 
addition, the department needed to complete a program management plan delineating how it 
would develop, use, and maintain the architecture. Further, although VA had developed a 
baseline application inventory to describe its “as is” state, it had not completed validating the 
inventory or developing detailed application profiles for the inventory, including essential 
information such as business functions, information flows, and external interface descriptions. 

VA Has Expanded Its Initial Enterprise 
Architecture Development Work 

Over the past 6 months, VA has made substantial strides toward instituting its enterprise 
architecture program. For example, in April it issued its fiscal year 2002 One VA enterprise 
architecture implementation plan, which will be used to align integrated technology solutions 
with the department’s business needs. And in July, the CIO issued a mandatory directive 
prescribing departmentwide policy for the establishment and implementation of an integrated 
One VA enterprise architecture and to guide the development and management of all of VA’s IT 
assets.” VA also finalized its enterprise architecture communications plan that will be used to 
help business and IT management and staff develop a corporate model of customer service. 


Among the experts that VA consulted was John Zachinan, author of “A Framework for Information Systems 
Architecture,” referred to as the Zachman framework [IBM Systents Journal, vol. 26(3), 1987). This framework 
provides a common context for understanding a con^tlex structure and enables communication among those 
involved in developing or changing the structure. 

'’Department of Veterans Af&irs, Department of Veterans Affairs (VA) Enterprise Architecture (EA), VA Directive 
6051 (Washington, D.C.: July 12, 2002). 
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More recently, on September 5, the Secretary approved the initial version of the department’s 
One VA enterprise architecture, VA officials describe the architecture as a top-down, business- 
focused document that provides a blueprint for systematically defining and documenting the 
department’s desired (target) environment. The document provides a high-level, overarching 
view of the department’s “as is” enterprise business fimctions and key enabling functions.'^ 

VA’s work to develop the “as is” view revealed the complexities of its baseline information 
systems, work processes, and supporting infiustructure. For example, it identified over 30 
independently designed and operated data networks, over 200 independent external network 
connections, over 1,000 remote access system modem connections, and a total of 7,224 office 
automation servers that are currently part of the baseline environment. 

The enterprise architecture document also incorporates high-level versions of a sequencing plan, 
technical reference model, and standards profile — all of which are critical to ensuring the 
complete development and implementation of the architecture. A sequencing plan serves as a 
systems migration roadmap to provide the agency with a step-by-step process for moving from 
the baseline to the target architecture. The technical reference model provides a knowledge base 
for a conunon conceptual firaraework, defines a common vocabulary and set of services and 
interfaces, and serves as a tool for the dissemination of technical information across the 
department. The standards profile, used in conjunction with the technical reference model, 
assists departmental components in coordinating the acquisition, development, and 
interoperability of systems to accomplish the department’s enterprise architecture program goals. 

Further, VA has integrated security practices into the initial version of its enterprise architecture. 
These security practices provide a high-level description of the baseline and target distributed 
systems architectures for major elements of the department’s cyber security infrastructure. 


‘^Enterprise business fimctions are externally focused functions involving direct interactions with veterans across the 
enterprise, such as providing medical care benefits, vocational rehabilitation, and employment benefits. Key 
enabling functions are those necessary to support the enterprise business functions, such as eligibility and 
registration, and enable smooth operation of the overall enterprise both intemally and externally. 
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Even with notable progress, VA must nonetheless complete a number of additional actions to 
fiilly implement and effectively manage its enterprise architecture. With the Federal CIO 
Council’s guide as a basis for analysis, table 1 illustrates the progress that the department has 
made since March in accomplishing key enterprise architecture process steps, along with 
examples of the various critical actions still required to successfully implement and sustain its 
enterprise architecture program. 


Table 1: VA’s Progress in Developing. Implementing, and Using an Enterprise Architecture 
as of September 2002 


Steps in the enterprise 
architecture (EA) 
process* 

Steps VA 
has 

completed 
as of 

September 

2002 

Examples of actions 

VA has taken or 
planned since March 
2002 

Examples of key actlima n. 
yet to be performed v 





issue executive enterprise 
architecture poticv 



■T f 'Y. 

Obtain support from senior 
executive and business units 




Establish technical review 
committee 




Establish capital investment 
council 


Drafted ttie Information 
Technology Integrated 
Management Guide, 
which lays out the 
integration of VA’s EA, 
capital planning, 
investment, and project 
management functions 

Completed integration 
of its capital planning, 
investment, and project 
management tunctiDns, 
and uses it to evaluate 

IT projects 


Establish EA executive 
steering committee 
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Steps in the enterprise 
architecture (EA) 
process* 

Steps VA 
has 

completed 
as of 

September 

2002 

Examples of actions 

VA has taken or 
planned since March 
2002 

Examples of key actions 
yet to be performed 

i 

, , f 

Select products that 
represent business of 
enterprise 

■/ 


\ 

1?, 

Select products that 
represent agency 
technical assets 



£• _ 

Evaluate and select 
framework 




Select EA tool set 




Collect information tiiat 
describes existing 
enterprise 


Version 1 .0 of VA's EA 
includes high-level 
descriptions of its 
baseline enterprise 
architecture business 
functions and key 
enabling functions from 
the planners’ business 
owners’ designers’ and 
builders’ viewpoints. 

Cor)t!nue dev^opment of the 
enterprise architecture to 
fuKy describe and document 
ail current business 
functions artd tiie technology 
infrastiiicture 

Generate products and 
populate EA repository 


Repository established 
on VA’s intranet Web 
site is populated with 
data on the planners' 
and owners' views of 

VA’s architecture 

In FY 2003 VA plans to 
assess the need to 
develop a new 
repository and the 
contents of that 
repository 

ComF^ete population of Uia 

EA repository with products 
that (Scribe the 
relationships among 
information elements and 
work products 

Review, validate, and refine 
models 


Enteiprise Architecture 
Council subject matter 
experts reviewed, 
validated, and refined 
models contained in 
version 1 .0 of the 
enterprise architecture 

Council membership 
ir>cluded 

representatives from 

VA’s technical and 
business tines 

Have subject matter experts 
continue assess ^ 
enterprise architecture 
products for accuracy and 
completeness ^ 
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Steps in the enterprise 

Steps VA 

Examples of actions 

Examples of key actions 

architecture <EA) 

has 

VA has taken or 

yet to be performed 

process* 

completed 

planned since March 



as of 

September 

2002 



2002 

■»w...w>e'iiriUiiV‘irtJii>ni88 



j 

Collect information that 


Vereion 1.0 of VA's 

Continue to decompose and 

defines future business 


enterprise architecture 

further define key elements 

operations and supporting 


contains high-level 

of the target architecture 

technology: 


descriptions of VA's 


• strategic business 


enterprise business 


objectives 


functions and key 


• information needed 


enabtir^ functions from 


to support 


the planners’ and 

WKmKUBsimL -i • vIBbI 

business 


business owners' views 

niewleISluL Stf IjBiW 

• applications to 


of the Zachman 


provide information 
• technology to 


framework 


support 




applications 








Generate products and 


Repository established 

Completepopulationofthe ' 

populate EA repository 


on VA’s intranet Web 
site is populated with 
data on the planners’ 
and owrters' views of 
the VA architecture 

In fy 2003 VA plans to 
assess the need for 
another repository and 
the contents of that 
repository 


Review, validate, and refine 
models 

Identify gaps 

- 

Subject matter expert 
review of version 1 .0 of 
the enterprise 
architecture carried out 
by members of the 
Enterprise Architecture 
Council from VA’s 
technical and business 
lines 

July 8, 2002 sequencing 
l^an contained in 
version 1 .0 of EA 
provides a high-level 
overview of how VA will 
migrate from the current 
to the tar^t 
architecture 

id^^^aps to assess Ihs~' 
systems, 

ac^^^pn opportunities, ' 
an^^^l reality of the . 

Define and differentiate 



Add^iikS all activities in tNS: 1 

among legacy, migration, and 



step 

new systems 




Plan migration 



Address all activities in this 




Address all actnnlies in this 

disseminate EA 
products 



step 
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Steps in the enterprise 
architecture (EA) 
process' 

Steps VA 
has 

completed 
as of 

September 

Examples of actions 

VA has taken or 
planned since March 
2002 

Examples of. key actions 
yet to be performed 

Integrate EA with capital 
planning and 
investment control and 
systems life cycle 
processes 


Drafted ftie information 
Technology Integrated 
Management Guide, 
which lays out the 
integration of VA's EA, 
capital planning, 
investment, and project 
management functions 

Finalize and issue the 
Information Technology 
integrated Management 

Guide 



Implemented the 
integrated capital 
planning, investment, 
and project 

management functions, 
and uses then to 
evaluate IT projects 


Train personnel 


Developing a project 
manager training 
curriculum 

Used the annual 
department CIO 
conference to conduct 
an overview of the 
department's EA effort 

Ensure that members of all 

EA decision-making bodies 
are trained in the EA 
process, the relationship-of 
the EA to the capital 
planning and investment 
control process, and the 
system life cycle; EA training 
should also be provided to 
current and future IT project' 
rhanagers 

Establish enforcement 

processes and 
procedures 



Develop precise definitions 

and criteria for compliance 

as well as different levels of 
compliance ,, !• 



• VA Directive 6051 

• VA EA Strategy. 
Governance, & 
Implementation 

• One-VA EA 
Implementation 

Plan: FY 2002 

• One-VA Enterprise 
Architecture 
(version 1 .0) 

'W 




■^^ress all activities in ftute 

Set up integrated reviews 




Execute integrated process 




initiate new and follow-i^ 
projects 



.^l^ress all activities in this 

m 
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Steps in the enterprise 
architecture (EA) 
process* 

Steps VA 
has 

completed 
as of 

September 

2002 

Examples of actions 

VA has taken or 
planned since March 
2002 

Examples of key actions 
yet to be performed 

Prepare proposal 




Align project to EA 

■■■■ 







Execute projects 




Manage and perform 
project development 




Evolve EA with 
proqram/proiect 




Msess progress 

■■■■ 



Complete project 



Address ail activities in this 
step 

Deliver product 




Assess architecture 




Evaluate results 




Consider other us^ of EA 








Maintain EA as enterprise 
evolves 




Reassess EA periodically 




Manage projects to reflect 
reality 




Ensure business 
direction and processes 
reflect operations 




Ensure current 
architecture reflects 
system evolution 




Evaluate legacy system 
maintenance 
requirements against 
sequencing plan 




Maintain sequencing plan 
as integrated program 
plan 




Continue to consider 
proposals for EA 
modifications 





* Chief Information Officer Council. 

’’A repository is an infomiatiott system used to store and access architectural information, relationships anrang the 
information elements, and work products. 

Source: GAO analysis. 


As the table indicates, immediate attention still needs to be focused on acquiring a permanent 
chief architect to manage the development and maintenance of the enterprise architecture. 
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Currently, the chief technology officer serves as the acting chief architect while the department 
recruits someone to fill the position on a permanent basis. According to the acting chief 
architect, VA anticipates filling the position in early 2003. The enterprise architecture program 
management office likewise needs to be fully staffed. As of September 6, 5 of the office’s 16 
positions had been filled. Officials expect this office to be folly staffed by the end of this year. 
Instituting a permanent chief architect with the requisite core competencies to lead the enterprise 
architecture development and folly staffing the enterprise architecture program office to support 
the effort, will provide vital components of management and oversight necessary for a successful 
enterprise architecture program. 

Two quality assurance roles — those of risk manager and configuration manager — also still need 
to be filled. At the conclusion of our review, VA’s Enterprise Architecture Council was 
performing risk and configuration management and its Information Technology Board was 
performing qualify assurance functions. However, Federal CIO Council guidance recommends 
that the CIO make risk and configuration management the explicit responsibilities of individuals 
designated for those roles. The guide further recommends that the CIO establish an independent 
quality assurance function to evaluate the enterprise architecture. 

VA must also still develop a program management plan to delineate how it will develop, use, and 
maintain the enterprise architecture. Such a plan is integral to providing definitive guidance for 
effectively managing the enterprise architecture program. 

Beyond these actions, VA must continue to enhance the enterprise architecture that it has begun 
instituting. For example, additional work is needed to folly develop the baseline and target 
architectures to encompass all of the department’s business functions, identify common areas of 
business, and eliminate duplication of processes across the organization through business process 
reengineering. As the initial version of the enterprise architecture notes, significant process 
duplication exists across the department. For example, VA identified eight different ways in 
which registration and eligibility are determined in the “as-is” (baseline) architecture. 
Nonetheless, although VA recognized opportunities for integrating and consolidating the 
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department’s duplicate processes and functions, its initial enterprise architecture document 
lacked any specific guidance on how and when consolidation and integration will take place. 

Also, important to the success of an enteiprise architecture effort is a fully-developed enteiprise 
architecture repository.'^ Such a system serves to highlight information interdependencies and 
improves the understandability of information across an organization. It also helps to 
significantly streamline change control by establishing linkages among the information, 
facilitating impact analyses, and providing for ready evaluations of change proposals. Although 
VA’s enterprise architectine repository contains information reflecting the views of its business 
planners and owners, the department still needs to completely populate the repository with data 
that describe the interrelationships among all information elements and work products. The 
acting chief architect stated that, in fiscal year 2003, the department will assess its need for a 
different system to serve as the EA repository. 

As establishment of the enterprise architecture proceeds, VA also will need to further refine its 
sequencing plan to identify differences between baseline and target architectures and gaps in the 
process, and to assess the state of legacy, migration, and new systems, and budget priorities and 
constraints. In addition, the acting chief architect noted that the current version of the technical 
reference model is generic and will require further development. Such customization is 
important in order to provide VA with consistent sets of service areas and interface categories 
and relationships used to address interoperability and open systems issues and serve as a basis 
for identifying, comparing, and selecting existing and emerging standards and their relationships. 
Such a document can also be used to organize infrastructure documentation. 

According to VA officials, actions to refine and build upon the enterprise architecture are 
ongoing, and the department plans to issue an interim revision to the initial document within 4 to 
6 months, and a completely new version by July 2003. The Enterprise Architecture Council will 
be responsible for developing these products. As the enterprise architecture management 
program moves forward, the department must ensure that it continues to sufficiently address and 


’’a repository is an information system used to store and access architecture information, relationships among the 
information elements, and work products. 
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complete all critical process steps outlined in the federal CIO guidance within reasonable time 
frames. With enhanced management capabilities provided by an enterprise architecture 
framework, VA should be able to (1) better focus on the strategic use of emerging technologies 
to manage its information, (2) achieve economies of scale by providing mechanisms for sharing 
services across the department, and (3) expedite the integration of legacy, migration and new 
systems. 


INFORMATION SECURITY 
CONTINUES TO REQUIRE 
TOP MANAGEMENT ATTENTION 


VA’s information security continues to be an area of significant concern. The department relies 
extensively on computer systems and telecommunications networks to meet its mission of 
providing health care and benefits to veterans. VA’s systems support many users, its networks 
are highly interconnected, and it is moving increasingly to more interactive, Web-based services 
to better meet the needs of its customers. Effectively securing these systems and networks is 
critical to the department’s ability to safeguard its assets, maintain the confidentiality of sensitive 
medical information, and ensure the reliability of its financial data. 

As this subcommittee is well aware, VA has faced long-standing challenges in achieving 
effective computer security across the department. Since 1 998 we have reported on wide- 
ranging deficiencies in the department’s computer security controls.’'* Among the weaknesses 
highlighted was that VA had not established effective controls to prevent individuals fiom 
gaining unauthorized access to its systems and sensitive data. In addition, the department had 
not provided adequate physical security for its computer facilities, assigned duties in a manner 
that segregated incompatible functions, controlled changes to its operating systems, or updated 
and tested its disaster recovery plans. Similar weaknesses have been confirmed by VA’s 
inspector general, as well as through the department’s own assessments of its computer security 


’hj.S. General Accounting Office, Information Systems: M Computer Control Weaknesses Increase Risk of Fraud, 
Misuse, and Improper Disclosure, GAO/AIMD-98-I75 (Washington, D.C.: Sept. 23, 1998) and GAO-02-369T. 
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controls in response to government information reform legislation,’* As evidence, since 
September 200 1 , VA has self-reported approximately 27,000 control weaknesses related to 
physical and logical access, segregation of duties, system and application controls, and 
continuity of operations. As of August 31, 2002, according to VA, about half (14,000) of these 
weaknesses remained unresolved. 

Contributing significantly to VA’s computer security problems has been its lack of a fully 
implemented, comprehensive computer security management program — essential to managing 
risks to business operations that rely on its automated and highly interconnected systems. Our 
1998 report on effective security management practices used by several leading public and 
private organizations'^ and a companion report on risk-based security approaches in 1999” 
identified key principles that can be used to establish a management framework for more 
effective information security programs. This framework, depicted in figure 3, points to five key 
areas of effective computer security program management — central security management, 
security policies and procedures, risk-based assessments, security awareness, and monitoring and 
evaluation. Leading organizations we examined applied these key principles to ensure that 
information security addressed risks on an ongoing basis. Further, these principles have been 
cited as useful guidelines for agencies by the Federal CIO Council and incorporated into the 
council’s information security assessment framework,'* intended for agency self-assessments. 


‘^The government information security reform provisions of the fiscal year 2001 Defense Authorization Act (P.L. 
106-398) require aimual agency program reviews and annual independent evaluations for both non-national security 
and national security information systems. 

General Accounting Office, Information Security Management: Learning From Leading Organizations. 
GAO/AlMD-98-68 (Washington, D.C.: May 1998). 

’’U. S. General Accounting Office, Information Security Risk Assessment: Practices of Leading Organizations. 
GAO/AIMD-00-33 (Washington, D. C: November 1999). 

**Chief Information Officers Council, Federal Information Technology Security Assessment Framework 
(Washington, D.C.: Nov. 28, 2000). 
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Figure 3: Information Security Risk Management Framework 



When we testified before the subcommittee in March, VA had begun a number of actions to 
strengthen its overall computer security management posture. For example, the Secretary had 
instituted information security standards for members of the department’s senior executive 
service to provide greater management accountability for information security. In addition, 
VA’s cyber security officer had organized his office to focus more directly on the critical 
elements of information security control that are defined in our information systems controls 
audit methodology.’** The cyber security officer also had updated the department’s security 


U.S. General Accounting Office, Federal Information System Controls Audit Manual, GAO/ AIMD-i2. 19.6 
(Washington, D.C.; January 1999). 
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management plan, outlining actions for developing risk-based security assessments, improving 
the monitoring and testing of systems controls, and implementing departmentwide virus- 
detection software and intrusion-detection systems. The plan placed increased emphasis on 
centralizing key security functions that were previously decentralized or nonexistent, including 
virus detection, systems certification and accreditation, network management, configuration 
management, and incident and audit analysis. 

Nonetheless, while VA had completed a number of important steps, its security management 
program continued to lack essential elements required for protecting the department’s computer 
systems and networks fi-om unnecessary exposure to vulnerabilities and risks. For example, 
while the department had begun to develop an inventory of known security weaknesses, it had 
not instituted a comprehensive, centrally managed process that would enable it to identify, track, 
and analyze all computer security weaknesses. Further, the updated security management plan 
did not articulate critical actions that VA would need to take to correct specific control 
weaknesses or time frames for completing key actions. 

Progress Continues. But Actions Still 
Needed To Achieve a Comprehensive 
Security Management Program 

Since March, the department has taken important steps to further strengthen its computer security 
management program. For example, the cyber security officer has updated and expanded the 
department’s information security policies and procedures, placing increased emphasis on better 
securing and overseeing the department’s computer enviromnent. More recently, as discussed 
earlier, VA’s realignment of its information technology resources placed administration and field 
office security functions more directly under the oversight of the department’s CIO. 

VA has also acted to help provide a more solid foundation for detecting, reporting, and 
responding to security incidents. For example, it has contracted to acquire an expanded 
departmentwide incident response and analysis capability, to include enhanced security 
monitoring and detection. Further, it has enhanced its computer virus detection program by 
providing technical training to operational staff and distributing antivirus patches for known 


24 


GAO-02-1054T 



60 


virases to affected systems. In addition, VA has initiated a multiyear project intended to 
consolidate, protect, and centrally manage external connections to its critical financial, medical, 
and benefits systems. This project, with full implementation planned for September 2004, is 
expected to reduce the approximately 200 external computer network connections that the 
department now relies on to about 10. By reducing these connections, VA should be better 
positioned to effectively reduce its risk of unauthorized access to its critical systems. 

As was the case last March, however, VA’s actions have not yet been sufficient to fully 
implement all of the key elements of a comprehensive computer security management program. 
In assessing the department’s recent corrective actions relative to our information security risk 
management framework, VA still needs to accomplish a number of critical tasks that are 
essential to successfully achieving a comprehensive and effective computer security management 
program. Table 2 suirunarizes the steps that VA still needs to accomplish in order to fully 
implement a comprehensive program. 
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Table 2: Actions Needed to Ensure a Comprehensive Computer Security Management Program 


Important elements of a 
computer secuiity 
manaqement program' 

Actions needed as of 
March 2(Hi2 

Actions VA has taken 
since 

March 2002 

Actions stili needed j 



Central security 
management function to 
guide and oversee 
compliance with 
established policies and 
procedures and review 
effectiveness of the 
security environment 

Ensure that full-time security 
officers or staff with primary 
duty for security are assigned 
to information security officer 
(ISO) positir^s and clearly 
define their roles and 
responsibilities 

Develop guidance to ensure 
authority and independence 
of security officere 

Develop policies and 
procedures to ensure 
departmentwide coordination 
of securitv functions 

Established a tracking 
mechanism to identify 
security officers and 
tfie systems under their 
respective purview at 
each location 

VA Secretary 
centralized the 
department’s IT 
program, including 
authority, personnel, 
and funding, in file 

Office of the Chief 
Information Officer 


Security policies and 
procedures that govern a 
complete computer 
security program and 
integrate all security 
aspecte of an 
organization's 
environment, including 
local area networics, wide 
area networte, and 
mainframe security 

Refocus department policy to 
address security from an 
interconnected VA systems 
environment perspective in 
addition to that of individual 
systems 

Develop and implement 
technical security standards 
for mainframe and other 
systems and security 
software 

Developed policies to 
address external 
connections and 
standards for public 
key infrastructure 
aufiientication 

Oe^iop specific polir^ to < 
address security^ 
interconnectivity of all 
internal and external VA 

'"interns' - 

- ^ 

Develop and implement 
technical security standards 
for mainjframe and o^r 
systems and secunty 
software. 

Periodic risk assessments 
to assist management in 
making decisions on 
necessary controls to help 
ensure that security 
resources are effectively 

distributed to minimize 

potential loss 

Include best minimum 
standards or guidance for 
performing risk assessments 
in methodology 

Develop guidance for 
determining when an event is 
a significant change and 
explaining the level of risk 

assessment required for 

these system changes 


Ni 

Security awareness to 
educate users about 
current information 
security risks, policies, 
and procedures 

Est^lish a process to 
ensure program compliance 


Esi abli^ a process vo 
enuure program corr^iiance 
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important elements of a 
computer security 
management program* 

Monitoring and evaluating 
computer controls to 
ensure their effectiven^s, 
improve them, and 
overeee compliance 


Actions ne^ed as of 
March 2002 


Develop specific 
requirements for conducting 
a compliance review program 

Develop an ongoing program 
for testing controls to include 
assessments of both internal 
and external access to VA 
systems; expand current 
tests to identify unauthorized 
or vulnerable external 
connections to VA’s networic 

Establish a process for 
tracking the status of seoirity 
weaknesses, corrective 
actions taken, and 
independent validation of the 
corrective actions 

Develop a process for 
routinely analyzing the 
results of computer security 
reviews to identify trends and 
vulnerabilities and apply 
appropriate countermeasures 
to improve security 


Develop a proactive security 
incident response program to 
monitor user access for 
unusual or suspicious activity 


Actions VA has taken 
since 

March 2002 


Actions still needed 


Initiated a multiyear 
project to consolidate, 
protect, and centrally 
manage external 
connections to VA 
systems 


Developed a process 
for tracking the status 
of computer security 
weaknesses and 
corrective actions 
taken 

Developed an ad hoc 
a^^roach for identifying 
computer control 
weaknesses for review 


Awarded contract for 
an expanded security 
Incident response and 
analysis program to 
include security 
monitoring and 
detection capability for 
external user access 
activities 

Enhanced computer 
virus detection 
program by providing 
technical training to 
operational staff and 
distributing antivirus 
patches 


Develop specific 
requirementsloriconducting 
a compliance review program 

Develop an ongoing program > 
for te^ng o^ntrais to include 
assessments of both internal 
and external access to VA 
systems; expand current 
tests to identify unauthorized 
or vulnerable external 
connections to VA’s network 

Develop a process to 
independently validate 
corrective actions taken 


Develop a process that 
emphasizes routinely 
analyzing the resutte of 
computer security reviews to 
identify trends and 
vulnerafc^ities and apply 
af^ropriate counteimeasures 
to improve security 

Develop a proactive security: 
incident response program to 
provide for both internal (*ncl 
external rnonitonrtg of user 
access to identify unusual or 
suspicious activities 


•GAO/AIMD-98-68. 


Source: GAO. 
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The department’s critical remaining actions include routinely monitoring and evaluating the 
effectiveness of security policies and controls and acting to address identified weaknesses. 

These tasks aid organizations in cost effectively managing their information security risks rather 
than reacting to individual problems after a violation has been detected. We have previously 
recommended that VA establish a program involving ongoing monitoring and evaluation to 
ensure the effectiveness of its computer control environment. An effective program framework 
would include a description of the scope and level of testing to be performed, specific control 
areas to be tested, the frequency of testing, and the identity of responsible VA units. In addition, 
testing and evaluation would include penetration tests and reviews of the computer network, as 
well as compliance reviews of all computer control areas, including logical and physical access 
controls; service continuity tests; and system and application integrity and change controls 
performed on a scheduled basis. 

VA has begun placing greater emphasis on controlling its security risks; however, its current 
framework does not yet include some of the essential elements required to achieve a formal 
program for monitoring and evaluating computer controls. For example, while the department 
has conducted some tests of its control environment, including penetration tests and reviews of 
its computer network, this effort has largely been performed in an ad hoc manner, rather than as 
part of a formal, ongoing program. Further, while VA has established a departmental process for 
assessing computer controls, the process relies on VA’s offices to self-report computer control 
weaknesses, with no independent validation component to ensure the accuracy of reporting. 

Similarly, an effective computer security management program should include a process for 
ensuring that remedial action is taken to address significant deficiencies and that it provides steps 
to analyze weaknesses reported for identifiable trends and vulnerabilities, and to apply 
appropriate countermeasures as needed. Although VA has established a system for tracking 
corrective actions, it has not developed a proeess for independently validating or reviewing the 
appropriateness of the corrective actions taken. Further, the department currently lacks a process 
to routinely analyze the weaknesses reported, limiting its effectiveness at identifying systemic 
problems that could adversely affect critical veterans information systems departmentwide. 
Finally, although VA has developed a framework for addressing departmentwide computer 
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security, it has not yet established a mechanism for collecting and tracking performance data, 
ensuring management review when appropriate, or providing for independent validation of 
program deliverables. Until it addresses all key elements of a comprehensive computer security 
management program and develops a process for managing the department’s security plan, VA 
will not have foil assurance that its financial information and sensitive medical records are 
adequately protected from unauthorized disclosure, misuse, or destruction. 


VBA REMAINS FAR FROM FULL IMPLEMENTATION 
OF THE VETSNET COMPENSATION AND PENSION 
REPLACEMENT SYSTEM 


Mr. Chairman, we continue to be concerned about the slow progress that VBA is making in 
implementing the VETSNET compensation and pension replacement system. As you know, 
VBA currently relies on its aging Benefits Delivery Network to deliver over 3.5 million benefits 
payments to veterans and their dependents each month.^° The compensation and pension 
replacement effort grew out of an initiative that VBA undertook in 1986 to replace its outdated 
BDN and modernize its compensation and pension, education, and vocational rehabilitation 
benefits payment systems. After several false starts and approximately $300 million spent on the 
overall modernization, the administration revised its strategy in 1996 and began focusing on 
modernizing the compensation and pension (C&P) payment system. 

VBA has now been working on the C&P replacement initiative for more than 6 years, but 
continues to be far from foil implementation of the new payment system. As we reported last 
March, long-standing, fundamental deficiencies in VBA’s management of the project hindered 
successful development and implementation of the system. For example, the initiative was 
proceeding without a project manager, and VBA had not obtained essential field office support 
for the new software being developed. In addition, users’ requirements for the new system had 
not yet been assessed or validated to ensure that VETSNET would meet business needs; and 
testing of the system’s functional business capability, as well as end-to-end testing to ensure that 


^'’Parts of the Benefits Delivery Network were developed in the 1960s. 
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accurate payments would be delivered, still needed to be completed. Finally, VBA had not 
developed an integrated project plan to guide its transition from BDN to the new system. 

This past June, we recommended that, before approving any new funding for the replacement 
system, the Secretary should ensure that actions are taken to address our long-standing concerns 
about VBA’s development and implementation of the system. These recommended actions 
included (1) appointing a project manager to direct the development of an action plan for, and 
oversee the complete analysis of, the current system replacement effort; (2) finalizing and 
approving a revised C(&P replacement strategy based on results of the analysis and implementing 
an integrated project plan; (3) developing an action plan to move VBA from the current to the 
replacement system; and (4) developing an action plan to ensure that BDN wilt be available to 
continue accurately processing benefits payments until the new system is deployed.^* The 
department concurred with our recommendations, and stated that actions were either under way 
or planned to implement them. 

Actions Taken in Recent Months 


Since our March testimony and subsequent recommendations, VBA has acted to further its 
development and implementation of the C&P replacement system. Among these actions VBA 
began recruiting a full-time project manager in June, and, according to the deputy CIO for VBA, 
expects to fill this position by the end of this month. In addition, to obtain field office and 
program support, in late March VBA formalized an implementation charter that established a 
VETSNET executive board and a project control board.“ These entities are expected to provide 
decision support and oversee progress on the implementation. VBA has also begun revalidating 
functional business requirements for the new system. Its July 10, 2002 status report called for 


.S. General Accounting Office, Veterans Affairs: Sustained Management Attention Is Key to Achieving 
Information Technology Results, GAO-02-703 (Washington, D.C.: June 12, 2002). 

^^The executive board meets monthly and consists of VBA’s chief financial officer, deputy chief information officer, 
director of compensation and pension service, and director of field operations. The project control board meets 
weekly and comprises representatives from the Office of Information Management, Compensation and Pension 
Service, Office of Resource Management, Field Operations, and the Program Analysis and Integrity Office. It is 
codirected by a business project manager and a technical project manager. 
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validating the majority of its requirements by the end of this month, and to complete all 
requirements validation by January 2003. The report also identified actions needed to transition 
VBA from the current to the replacement system. Further, in July VBA hired a contractor to 
obtain support for testing the VETSNET system applications. The contractor has been tasked 
with conducting functional, integration, and linkage testing, as well as software quality assurance 
for each release of the system applications. 

Much Work Remains 


Nonetheless, VBA still has significant work to accomplish, and completing its implementation of 
the new system could take several years. All but one of the software applications comprising the 
new system still need to be fully deployed or developed, and VBA is currently processing only 
nine benefits claims using its new software products.^^ As described in VA’s August 2002 
Compensation and Pension Replacement System Capital Asset Plan, the C&P replacement 
strategy incorporates six software applications; (1) Share, (2) Modem Award Processing - 
Development, (3) Rating Board Automation 2000, (4) Award Processing, (5) Finance and 
Accounting System, and (6) Correspondence. These applications are being designed to support 
the processing of initial benefits claims for service-connected disabilities, as shown in table 3. 


part of a pilot test in February 2001, VBA began processing ten original benefits claims using its new software. 
However, according to VBA, one veteran included in the pilot moved to West Virginia, and bis payment is now 
being delivered by the BDN. 
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Table 3: C&P Replacement System’s Support of Initial Disability Claims Processing 


C&P Replacement 
System Software 
Application 

Initial Disability Claims Processing and Benefit Payment Functions 

Share (establishment) 

Establish the c/arm— regional office enters basic information provided by the 
veteran into a computer system and sets up a claim file folder 

Modern Award Processing 
- Development (MAP-D) 

Develop the claim — regional office reviews the claim file folder for military 
service and medical information, requests and obtains missing information, 
and assesses information to determine basic eligibility 

Rating Board Automation 
2000 (RBA 2000)“ 

Rate the claim — regional office analyzes the veteran’s service records and 
service and private medical records and determines the veteran’s level of 
disability 

Award Processing 
{AWARD) 

Authorize the claim — regional office reviews prewous work on the claim, 
approves the Initiation of benefit payments, and notifies the veteran of the 
decision 

Finance and Accounting 
System (FAS) 

Pay £>enef/c/ary— regional office enters data into computer system to 
generate and make payment to veterans 

Correspondence 

Notify veteran — regional office sends letters informing veterans of the status 
of actions to process their claims 


“The Search and Participant Profile application is used in conjunction with RBA 2000 and pulls information from 
the corporate database when reopened claims are rated and is transparent to the user. Until recently, this application 
had been counted separately. 

Source: GAO analysis. 


VBA Still has numerous tasks to accomplish before these software applications can be flilly 
implemented. Although, last year, the administration implemented its rating board automation 
tool (RBA 2000), it will not require all of its regional offices to use this software until July 2003. 
In addition, our recent follow-up work determined that two of the software products continue to 
be in various stages of deployment. Specifically, among the 57 regional offices that are expected 
to benefit fi:om the replacement system, only 6 are currently using Share to establish a claim; 
VBA still needs to implement the tool in the 51 other regional offices. In addition, only two 
regional offices — Salt Lake and Little Rock — ^have pilot-tested and are currently using MAP-D 
to assist in the development of most compensation claims. VBA still needs to implement this 
tool in 55 other regional offices. Full implementation is currently estimated for October 2003. 


Further, three software applications — AWARD, FAS, and Correspondence — continue to require 
development. According to VBA officials, when implemented, AWARD will record award 
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iecisions and generate, authorize, and validate on-line awards for veterans and interface with 
ilorrespondence to develop the notification letter for the veteran. FAS will provide the 
iccounting benefits payments functions and will include an interface with the Department of the 
Treasury. 


/BA expects to complete software coding for AWARD and FAS by March 2003. Based on its 
nost recent estimates, it expects to begin nationwide deployment of the two systems in April 
!004. Once these activities are accomplished, VBA plans to begin its conversion to the new 
ystem, with a completion date currently set for December 2004. Figure 4 depicts VBA’s 
lurrent time line for the full implementation of the system. 


ueure 4: VBA’s Time Line for Completing and Imnlementing the Compensation & Pension 
teplacement Payment System (as of July 20021 
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Given its current schedule for implementing the C&P replacement system, VBA will have to 
continue relying on BDN to deliver compensation and pension benefits payments until at least 
the beginning of 2005. However, with parts of this system nearing 40 years old, without 
additional maintenance, BDN’s capability to continue accurately processing benefits payments is 
uncertain. Our concerns have been substantiated by the VA claims processing task force, which 
in its October 2001 report warned that the system’s operations and support were approaching a 
critical stage and that its perfoimance could potentially degrade and eventually cease.^"* 

Since March, VBA has taken steps to help ensure that BDN can be sustained and remains 
capable of making prompt, uninterrupted payments to veterans. For example, VBA has (1) 
completed an upgrade of BDN hardware, (2) hired 1 1 new staff members dedicated to BDN 
operations, and (3) successfully tested a contingency plan. Further, according to VBA’s deputy 
CIO, the administration has developed an action plan outlining strategies for keeping BDN 
operational until the replacement system is implemented. Nonetheless, the risks associated with 
continual reliance on BDN remain — one of the system’s software applications (database monitor 
software) is no longer supported by the vendor, nor is it used by any other customer. 

GOVERNMENT COMPUTER-BASED 
PATIENT RECORD INITIATIVE HAS 
CHANGED NAME. GOALS. STRATEGY 

Finally, Mr. Chairman, I would like to provide updated information on VA’s progress, in 
conjunction with the Department of Defense (DOD) and the Indian Health Service (IHS), in 
achieving the ability to share patient health care data as part of the government computer-based 
patient record (GCPR) initiative. As you know, the GCPR project was developed in 1998 out of 
VA and DOD discussions about ways to share data in their health information systems and from 

^*The claims processing task force was formed in May 2001, when the Secretary of Veterans Affairs asked a group 
of individuals with significant experience to assess and critique VBA’s compensatiDn and pension organization, 
management, and processes, and to develop recommendations to significantly irrrprove VBA’s ability to process 
veterans’ claims for disability compensation and pensions. 
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efforts to create electronic records for active duty personnel and veterans. HiS became involved 
because of its experience in population-based research and its long-standing relationship with 
VA in caring for the Indian veteran population, as well as its desire to improve the exchange of 
information among its facilities. 

GCPR was originally envisioned to serve as an electronic interface that would allow physicians 
and other authorized users at VA, DOD, and IHS health facilities to access data from any of the 
other agencies’ health facilities by serving as an electronic interface among their health 
information systems. The interface was expected to compile requested patient information in a 
temporary, “virtual” record that could be displayed on a user’s computer screen. 

Last March we expressed concerns about the progress that VA, DOD, and IHS had made toward 
implementing GCPR. We testified that the project continued to operate without clear lines of 
authority or a lead entity responsible for final decision-making. The project also continued to 
move forward without comprehensive and coordinated plans, including an agreed-upon mission 
and clear goals, objectives, and performance measures. These concerns were originally reported 
in April 2001,^^ when we recommended that the participating agencies (1) designate a lead entity 
with final decision-making authority and establish a clear line of authority for the GCPR project, 
and (2) create comprehensive and coordinated plans that included an agreed-upon mission and 
clear goals, objectives, and performance measures, to ensure that the agencies can share 
comprehensive, meaningful, accurate, and secure patient health care data. VA, DOD, and IHS 
all agreed with our findings and recommendations. 

Our March testimony also noted that the scope of the GCPR initiative had been narrowed fiom 
its original objectives and that the participating agencies had announced a revised strategy that 
was considerably less encompassing than the project was originally intended to be. Specifically, 
rather than serve as an interface to allow data sharing across the three agencies’ disparate 
systems, as originally envisioned, a first (near-term) phase of the revised strategy had called only 


^hj.S. General Accounting Ofhce, Computer-Based Patient Records: Better Planning and Oversight by VA, DOD, 
and IHS Would Enhance Health Data Sharing, GAO-OI-459 (Washington, D.C.: Apr. 30, 2001). 
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for a one-way transfer of data from DOD’s current health care information system to a separate 
database that VA hospitals could access. 

Subsequent phases of the effort that were to further expand GCPR’s capabilities had also been 
revised. A second phase that would have enabled information exchange among all three agencies 
had been re-scoped to enable only a bilateral read-only exchange of data between VA and MS. 
Plans for a third phase involving the expansion of GCPR’s capabilities to public and private 
national health information standards groups were no longer being considered for the project, 
and there were no plans for DOD to receive data from VA. 

GCPR is Proceeding Under a New Name and Strategy 

In May, VA and DOD proceeded with implementing the revised strategy. It finalized a 
memorandum of agreement that designated VA as the lead entity in implementing the project 
and formally renamed the project the Federal Health Information Exchange (FHIE) Program. 
According to program officials, FHIE is now a joint effort between DOD and VA that will 
enable the exchange of health care information in two phases. The first phase, or near-term 
solution, is to enable the one-way trairsfer of data fiom DOD’s existing health care information 
system to a separate database that VA hospitals can access. Nationwide deployment and 
implementation of the first phase began in late May of this year, and was completed in mid-July. 

FHIE was built to interface with VA’s and DOD’s existing systems. Specifically, electronic data 
from separated service members contained in DOD’s Military Health System Composite Health 
Care System are transmitted to VA’s FHIE repository, which can then be accessed through the 
Computerized Patient Record System (CPRS) in VA’s Veterans Health Information Systems and 
Technology Architecture (VISTA). Clinicians are able to access and display the data throu^ 
CPRS remote data views.“ The data currently available for transfer include demographic^’ and 

^^The CPRS remote data views is an application that allows authorized users to access patient health care data from 
any VA medical facility. 

^’The demographic information consists of patient name, DOD eligibility category. Social Security number, address, 
date of birth, religion, primary language, sex, race, and marital status. 
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certain clinical information, such as laboratory results, outpatient pharmacy data, and radiology 
reports on service members that have separated from DOD. 

The final phase of the near-term solution is anticipated to begin this October. According to VA 
and DOD officials, this phase is intended to broaden the base of health information available to 
VA clinicians through the transfer of additional health information on separated service 
members. This additional information is expected to consist of discharge summaries;^* allergy 
information; admissions, disposition, and transfer information; and consultation results that 
include referring physicians and physical findings. Completion of this final phase of FHIE is 
scheduled for September 2003. VA and DOD have budgeted $12 million in fiscal year 2003 ($6 
million for each agency) to cover completion and maintenance of the near-term effort. 

VA and DOD Report Success in 
Implementing the First Phase of FHIE 

FHIE is currently available to all VA medical centers, and according to program officials, is 
showing positive results. The officials stated that, presently, the FHIE repository contains data 
on almost 2 million unique patients. This includes clinical data on over 1 million service 
personnel who separated between 1987 and 2001. The data consist of over 14 million lab 
messages, almost 14 million pharmacy messages, and over 2 million radiology messages. 

Program officials stated that the quick retrieval and readability of data contained in the FHIE 
repository has begun providing valuable support to VA clinicians. They stated that FHIE is 
capable of accommodating up to 800 queries per hour, with an average response rate of 14 
seconds per query. For the week beginning July 29, 2002, VA clinicians made 287 authorized 
queries to the database. In addition, when a clinician at a VA medical facility retrieves the data 
transmitted from DOD, the data appear in the same format as the data captured in CPRS, fiuther 
facilitating its use. During a demonstration of the data retrieval capability, a clinician at VA’s 
Washington, D.C., medical center told us that the information provided through FHIE has proven 
particularly valuable for treating emergency room and first-time patients. He added that 


Discharge summaries will include inpatient histories, diagnoses, and procedures. 
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additional data anticipated from the second phase of FHIE should prove to be even more 
valuable. 

VA and POD Developing 
Interoperable Health Systems 

Beyond FHIE, VA and DOD have envisioned a long-teim strategy involving the two-way 
exchange of clinical information. This initiative has been termed HealthgPeople (Federal). 
According to VHA’s CIO and the Military Health System CIO, VA and DOD are jointly 
implementing a plan that will result in computerized health record systems that ensure 
interoperability between DOD’s Composite Health Care System 11 and VA’s HealthgVet VISTA 
to achieve the sharing of secure health data required by their health care providers.^’ In order to 
accomplish this objective, the two agencies intend to standardize health and related data, 
communications, security, and software applications where appropriate. As part of 
HealthgPeople (Federal), IHS is also expected to be actively involved in helping to develop 
national standards and compatible software applications to further the standardization of data, 
communications, and security for health information systems. When our review concluded, VA 
and DOD had just begun this initiative, with a focus on addressing the standardization issue. At 
that time, they anticipated implementing this exchange of clinical information by the end of 
2005. 

» * • * * 

In summary, Mr. Chairman, VA continues to make important progress toward improving its 
management of information technology, with the attention and support of its executive 
leadership contributing significantly to ongoing actions to improve key areas of IT performance. 
The restructuring of responsibility and accountability directly to the CIO is a particularly 
important step — one that could set the stage for VA truly achieving its One-VA vision. In 
addition, actions aimed at further developing the department’s enterprise architecture and 
improving computer security management continue to help solidify the IT foundation necessary 


^^Both of these systems are curreatly under development. 
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to guide VA’s development and protection of critical infoimation systems and data that are vital 
to its mission. Finally, although under a revised, scaled-down initiative, VA and DOD have 
made some progress in achieving the capability to share health care data on military personnel 
and veterans. Yet, challenges remain. Ensuring that the enteiprise architecture will be fully 
implemented and sustained beyond the current leadership necessitates that the department 
establish a program management structure to guide and oversee this critical initiative. 

Completing its comprehensive computer security management program is also essential to 
ensure that the department can effectively safeguard its assets and sensitive medical information. 
Further, the ragency that VA faces in replacing its aging BDN continues to grow, while much 
must be accomplished before full implementation of the compensation and pension replacement 
system. Instituting the necessary processes and controls to guide VA’s information technology 
programs and investments will be vital to ensuring that the department does not fall short of its 
goals of enhancing operational efficiency and, ultimately, improving service delivery to our 
nation’s veterans. 

Mr. Chairman, this concludes my statement. I would be pleased to respond to any questions that 
you or other members of the subcoirunittee may have at this time. 
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Statement of 
Dr. John A. Gauss 

Assistant Secretary for Information and Technology 
Department of Veterans Affairs 
Before the 

Subcommittee on Oversight and Investigations 
Committee on Veterans’ Affairs 
U. S. House of Representatives 
September 26, 2002 


Good morning, Mr. Chairman and members of the Subcommittee. On behalf of 
the Secretary of Veterans Affairs, 1 am pleased to have this opportunity to come 
here today and update you on the progress the Department has made in 
strengthening our Information Technology program, and specifically address 
issues relating to: 

■ VA’s Enterprise Architecture; 

• VA's Cyber Security program; 

• The recent realignment of the Department’s IT structure; and, 

• Issues raised at the March 13, 2002, IT hearing. 

On March 13, 2002, 1 appeared before this Subcommittee and gave you my 
personal commitment to reform the way VA uses information technology. I 
committed to: 

■ Publishing an approved Enterprise Architecture Implementation Plan by 
no later than 30 April 2002; 

• Ensuring that networks and systems we depend upon are made secure 
and available; 

• Personally overseeing VETSNET to ensure its progress meets the 
projected time of being ready to deploy by April 2004 or recommending to 
the Secretary that the effort be terminated; and, 

• Conducting a deployment review for the Government Computer Based 
Patient Records (GCPR) program to ensure a quality product can be 
effectively deployed. 

With respect to Enterprise Architecture (EA), the Department published a 
detailed Implementation Plan on April 22, 2002, and undertook the development 
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of the initial version of the One-VA Enterprise Architecture. As a result of 
successfully executing the Implementation Plan, the Secretary approved version 
1 .0 of the One-VA Enterprise Architecture on September 5, 2002. It provides a 
clear pathway for the transformation of both business processes and Information 
Technology to support these business processes across the Department. 

Version 1 .0 of the One-VA EA establishes ten Enterprise Business Functions 
(EBFs) and seven Key Enabling Functions (KEFs) that provide a top-level view of 
the Department’s operations from a top-down, business-focused perspective. 
These EBFs and KEFs are as follows: 

Enterprise Business Functions 

• Compensation 

• Pension 

• Vocational Rehabilitation & 

Employment 

• Education 

• Insurance 

• Home Loan Guaranty 

• Memorials & Burial 

• Medical Care 

• Medical Education 

• Medical Research 

Several of these EBFs and KEFs were identified as significant opportunities for 
functional consolidation and integration to collapse redundant processes and the 
duplicative IT systems that support them and implement a transformational, One- 
VA approach to dealing with veterans. These include Registration and Eligibility 
that will collapse eight separate business processes into one, and Contact 
Management that will provide a single multi-media face for the Department in 
interacting with veterans and collapse five redundant business processes into 
one. They also include the Health Data Repository (HDR), which will set the 
foundation for transforming VA medical care from “facility centric" to "patient 
centric” health care. 

From the perspective of Information Technology Infrastructure to support the 
EBFs and KEFs, the One-VA EA describes the distributed computing model and 
technical architecture for the future. The top layer of the model represents how 
data and applications will interrelate in the future. It is where VA will implement 
the functional consolidation described previously in One-VA Registration and 
Eligibility, Contact Management and Health Data Repository. 

The layer below the data/applications layer represents corporate and regional 
computing services to store the data and run the applications. VA will 
consolidate corporate data center operations to establish a single corporate data 
center distributed across three widely dispersed locations. These three locations 


Key Enabling Functions 

• Finance and Accounting 
•Acquisition & Materiel Management 

• Information Technology 

- Telecommunications 

- Cyber Security 

- Data Center COOP 

• Human Resources 

• Training & Education 

• Registration & Eligibility 

• Contact Management 
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will operate under a single management structure and be linked with one another 
with high performance data telecommunications so they appear logically as a 
single entity. They will provide Continuity of Operations (COOP) support for 
electronic data vaulting, applications restart and business process restart in the 
event of a disaster. Regional data centers will also support the EA’s distributed 
computing model in transitioning VA from a "facility centric" computing 
environment to a "network centric" computing environment to support mid-tier 
and office automation capability. In the end state, this effort will remove many 
servers from end user facilities and replace them in regional locations with COOP 
capability designed in. This will lead to significant reduction in hardware costs for 
the future, reduce the skills required at the local level to operate and maintain the 
capability, and significantly enhance our cyber security posture. 

The next lower layer in the distributed computing model is for cyber security 
functions to protect the computing infrastructure against cyber attack. The 
bottom layer is a One-VA national data network. We are well on our way to 
implementing the One-VA data network and the Cyber Security functions to 
protect our computing environment. 

Specific progress since the last hearing follows: 

■ The Department of Veterans Affairs "One-VA Enterprise Architecture 
Implementation Plan: FY 2002" was approved on April 22, 2002; 

■ The Secretary approved the Department of Veterans Affairs "One-VA 
Enterprise Architecture Version 1.0” on September 5, 2002; 

• Staffing has been approved for the Enterprise Architecture Office and 
recruitment for these positions is underway; and, 

■ The position for an SES level Chief Architect has been approved and 
recruitment for this position is underway. 

As I discussed in my March 13, 2002, testimony before this Subcommittee, our 
current data network is overly complex, too expensive for the performance it 
provides, and does not have an enterprise-wide network management capability. 
This complexity and lack of network management capability seriously impede our 
ability to properly secure and assure network services. To correct these 
deficiencies, we have embarked on a project to re-architect our data network and 
change the network from a circuit-based network to a performance-based 
network. The VA Strategic Management Council reviewed and the Deputy 
Secretary has approved executing the first phase of this project. The detailed 
Business Case Analysis, Cost Benefit Analysis, Return on Investment Analysis, 
and Analysis of Alternatives were completed. These analyses showed that 
converting our data network from a circuit-based network to a performance- 
based network will: 

• Simplify the complexity; 

• Substantially improve performance in support of our EA efforts; 

■ Establish a network management capability; 

■ Significantly improve the security and assurance of service; and. 
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• Provide savings to our current data network budget. 

Phase I of this project involved the transfer of responsibility for the Operations & 
Maintenance of the data network backbone to SPRINT, one of the FTS2001 
telecommunications providers. Phase I also involves standardizing equipment 
and software configurations across the data network backbone. Phase I will be 
complete by the end of this month. Since transferring this responsibility to 
SPRINT in April 2002, we have significantly improved network backbone 
effective throughput and reliability. The next phase of this project will optimize 
the network’s backbone performance. We will start this optimization next week. 

With respect to cyber security, the Department has made significant progress in 
correcting the deficiencies identified by our Office of Inspector General (OIG) and 
the General Accounting Office (GAO). This year, the Department fielded one of 
the largest anti-virus capabilities in the world, as well as awarded a multi-year 
contract to significantly enhance the VA’s central incident response capability. 

VA recently established a global anti-virus capability to protect the over 140,000 
desktops connected to VA’s Intranet from malicious attack. To date, over two 
million viruses have been successfully detected and eradicated. This effort is 
continuing through providing additional role-based training to ensure that IT 
personnel are knowledgeable about associated equipment operating 
characteristics and maintenance requirements; hardening servers consistent with 
optimized site configuration; and, establishing an Anti-virus analytical and 
warning capability. This capability uses an automated tool that, within minutes of 
a virus attack on a VA computer, can identify the incident by virus type, version, 
and specific location of the equipment under attack. When a virus attack is 
detected, a warning is concurrently sent to the VA Central Incident Response 
Capability (VA-CIRC), which will issue a Department-wide anti-virus alert. 

After a rigorous several-month effort, a contract to significantly upgrade the 
capabilities of our VA-CIRC was awarded during July. The contract winner, 
which is now known as the VA Security Team, or VAST, is a consortium of five 
small businesses, led by Secureinfo Corporation. There are three large 
companies that are under subcontract to provide specific niche services when 
required. In the near future, this enhanced VA-CIRC capability will become the 
nucleus of all VA information and Internet security operations nationwide, 
providing such global services as firewall management and Intrusion Detection 
System (IDS) monitoring. 

The VA anti-virus program will be integrated with the enhanced VA-CIRC 
capability, and associated vendor releases, security bulletins, security alerts, and 
patch distribution will be tailored for the specific existing configuration of each VA 
facility. This will afford immediate management attention to priority issues, 
instead of the current situation wherein IT staff and security personnel must 
evaluate all alerts for relevancy to their operations. The VA-CIRC has begun 
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testing the effectiveness of facility-implemented security controls through 
vulnerability and penetration scanning tests. This exemplifies the total “cradle to 
grave" solution that is required to effectively address emerging threats to VA’s 
networks on an expedient basis. 

In addition to the anti-virus and VA-CIRC efforts, the Department is continuing to 
deploy other specifically focused initiatives developed during the past year to 
correct IT security weaknesses identified in our annual Government Information 
Security Act (GISRA) self-assessment survey process. These programs include 
our Enterprise Cyber Security Infrastmcture Project (ECSIP), the Information 
Security Technology Certification and Accreditation Program (ITSCAP), and our 
newly-established Cyber Security Professionalization and Compliance Programs. 

The ECSIP program, which was discussed during the March testimony, will 
implement Department-wide intrusion detection, and firewall capability with a 
concurrent significant reduction in external network gateways. This project, 
which was approved by the Department’s Strategic Management Council in 
February 2002, coincides with 'VA’s telecommunications network modernization. 
As part of the project, we plan to systematically collapse the over 200 existing 
external network gateways in VA into a more manageable number and efficient 
structure. Concurrent with this effort, Department-wide IDS capability will be 
incrementally deployed on a strategic basis to provide significantly increased 
security protections for these gateways. The IDS effort will include real-time 
analytical incident support, as well as information sharing capabilities regarding 
emerging threats and vulnerabilities. Design and implementation efforts for this 
standardized architecture and configuration are underway and we anticipate 
deploying the initial capability during the first quarter of calendar year 2003. 

ITSCAP, the Department’s comprehensive Certification and Accreditation (C&A) 
process, will ensure that IT systems undergo a rigorous security review prior to 
being authorized to process sensitive data. An accompanying ITSCAP 
Handbook of procedures and guidance, which articulates the specific actions, 
document reviews, and required analyses associated with the C&A process, 
places increased emphasis on the system and/or major application security plan, 
and on physical security, through a “site-specific” accreditation process. 

The Department’s newly-established Cyber Security Professionalization Program 
(CSPP) will provide general and role-specific training, career progression, and 
incentives targeted toward development of a highly skilled and motivated cadre 
of VA cyber security practitioners. In addition to existing VA Information Security 
Officer (ISO) training modules, other elements being considered for inclusion in 
the CSPP inciude: training and testing specific to Federal and VA guidelines for 
IT security; training and testing specific to topical areas included in industry- 
recognized professional certifications; and, career development opportunities 
through formalized position descriptions which delineate a range of iSO skill 
levels to support Department-wide career paths. 
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Additionally, the CSPP will provide professional certifications for those VA 
employees who meet stringent qualifications through combinations of training, 
testing, and experience. The Department will maintain pertinent information on 
individual cyber security practitioner certification status, evaluate the proficiency 
of current credential holders on a periodic basis, and take appropriate action to 
suspend and/or revoke cyber security practitioner credentials for any individual 
who fails to adhere to established standards. 

A Compliance Program will provide independent verification of adherence to 
Department security policies and procedures through continual assessment of 
documentation archived in the Department’s GISRA database, and subsequent 
periodic site visits to verify and test related IT security control implementation. 
The results of these reviews will be provided to facility directors and Department 
senior management personnel to ensure that personnel initiate prompt action to 
correct identified deficiencies. Additionally, the reviews will be used to develop a 
process for routinely identifying trends and vulnerabilities, and applying 
appropriate countermeasures to improve security. 

The Secretary approved the establishment of the professionalization and 
compliance programs to respond to concerns expressed by the OIG regarding 
the unevenness of reporting in the Department’s GISRA database, as well as to 
preclude instances such as the one that occurred in the Indianapolis Medical 
Center this past spring. 

In summary of our cyber security efforts, we are building a strong foundation for 
our IT program, but much remains to be done. 

In a memorandum signed by the Secretary on August 6, 2002, he directed that 
all IT personnel and resources be centralized under the Office of Information and 
Technology. The first action I took was to assign the Administration Chief 
Information Officers to be Department Deputy CIOs for Health, Benefits and 
Memorial Affairs. Further, the senior IT manager in each Central Office staff 
office that operates and maintains IT networks and equipment now report directly 
to me. 

Initially, I have focused on establishing a clear, unambiguous reporting chain for 
the Department's cyber security efforts. We have developed an organizational 
structure that combines the cyber security staff elements of the Administrations 
with the Central Office’s Cyber Security staff, thereby creating a single integrated 
cyber security program office for the Department. Further, field Information 
Security Officers (ISOs) at the VHA VISN level and at the VBA Network Service 
Center (NSC) level will become direct reports to the Office of Cyber Security 
early next fiscal year. Within each hospital, regional office and at each cemetery, 
the ISOs will report directly to their respective facility director rather than the 
inconsistent manner of reporting in the past. The VISN and NSC ISOs will 
provide functional cyber security direction to the facility ISOs, and conduct 
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periodic inspections of the Cyber Security activities at each facility under their 
purview. The facility ISOs will be required to submit weekly reports as to each 
facility’s cyber security health and welfare. 

With respect to financial accountability, I am requiring financial execution plans, 
or spend plans, to be submitted to me for approval prior to the start of each fiscal 
year. These spend plans define what work will be done, who will do the work, 
how much will be spent and when it will be spent. I am pleased to report that I 
have received these spend plans for fiscal year 2003 that cover the planned IT 
expenditures for each administration. I am also pleased to report that the quality 
of these spend plans far exceeded my expectations for the initial submission. 
These spend plans will give my office the opportunity to drill down into each 
planned expenditure to ensure that they will not only satisfy mission need but will 
also comply with the recently published version 1 .0 of the Enterprise 
Architecture. Although the quality of the initial spend plan submissions far 
exceeded my expectations, some spend plans require additional work to provide 
a greater degree of detail. This work will be completed prior to the end of the 
calendar year. 

I have convened a group of senior leaders from the Department to develop a 
detailed reorganization package to submit to the Secretary no later than 
November 1, 2002, This reorganization package will provide the detail 
associated with the specific centralization of authority from an organizational 
perspective, and provide detailed staffing descriptions for each of the 
organizational elements. In addition to the reorganization of the cyber security 
functions discussed above, the group will help me determine how best to 
consolidate duplicative staff functions, centralize the reporting responsibilities of 
our data centers and our IT system development activities, and consolidate the 
Central Office IT networks and computing facilities. 

Concerning VETSNET, as I committed to you at the last hearing, I have been 
personally overseeing the progress of this effort along with the Under Secretary 
for Benefits. On June 17, 2002, the Secretary received a comprehensive review 
of our plans to correct the Department’s outstanding IT deficiencies as reported 
by the General Accounting Office, This review included a detailed discussion on 
VETSNET. Required actions to be completed by the end of September include: 

• Selecting a full time VETSNET project manager to have the responsibility 
and accountability for cost, schedule and performance for the completion 
of this effort; 

• Contracting for an independent test activity to ensure that the system will 
meet all of its performance requirements; 

• Validating that all of the performance requirements are correct (except for 
reports that are due by the end of the calendar year); and, 

• Conducting a review of the readiness of the program to meet the April 
2004 date that was promised at the last hearing. 
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I am pleased to report that these actions are complete and, in conjunction with 
the Under Secretary for Benefits, we have recommended to the Secretary that 
we continue the VETSNET effort in FY2003. 

With respect to the Government Computer Based Patient Records (GCPR) 
program, we have re-baselined and re-scoped the program to address issues 
identified in a 2001 GAO report. We have renamed GCPR to be the Federal 
Health Information Exchange (FHIE) program. The re-baselined FHIE program 
uses an existing VA application called the Computerized Patient Record System 
(CPRS) as a fundamental building block. CPRS enables a clinician to access 
clinical data from any VA health facility. FHIE is a database that receives DoD 
clinical data (an exception being physician notes which are not electronically 
available from DoD at this time). CPRS is the application that enables VA to 
import clinical data from the FHIE database in addition to clinical data available 
within VA. 

On April 26, 2002, 1 chaired a review of the FHIE test results to determine 
whether or not the first phase of FHIE is ready for deployment. Based on the 
results of this review, I determined that FHIE was ready to deploy on May 27, 
2002. Deployment of this first phase of FHIE was completed in July 17, 2002. 
Future investment in FHIE will enhance functionality based on clinician feedback 
once operational. 

On May 3, 2002, the Deputy Secretary, Department of Veterans Affairs, and the 
Under Secretary (Personnel and Readiness), Department of Defense signed a 
Memorandum of Agreement (MOA)forthe Federal Health Information Exchange 
Governance and Management. This MOA: 

• Replaces original GCPR documents signed in 1998; 

• Renames GCPR to Federal Health Information Exchange (FHIE); 

• Designates VA as the lead agency for FHIE (formerly GCPR); 

• Revises goals and objectives to be aligned with the current strategy and 
direction of the project; and, 

• Commits executive level support necessary to adequately manage the 
project. 

I believe that the issues addressed in the April 2001 GAO report on GCPR have 
been addressed by the above actions. 

I hope I have provided some insight as to the progress that has been made since 
the March 1 3, 2002, hearing. I believe these efforts demonstrate our very strong 
commitment, at all levels, to building an effective information technology program 
for the long-term. With your assistance, we will be able to continue on this path 
forward to ensure our continued ability to service the health and benefit 
requirements of our veteran population and their dependents. 

Thank you for this opportunity to discuss these very important IT issues. I will be 
happy to answer your questions. 
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Chairman Buyer to Department of Veterans Affairs 


Questions for the Record 
House Committee on Veterans’ Affairs 
Subcommittee on Oversight and Investigations 
September 26, 2002 

Hearing on VA Information Technology (IT) Initiatives 


1. Please provide the total expenditures, including personnel costs, related 
to the VETSNET project for the last seven years. Please list these figures 
by fiscal year. 


(In 

Thousands) 

96 

Actual 

97 

Actual 

98 

Actual 

99 

Actual 

00 

Actual 

01 

Actual 

02 

Actual 

Total To 1 
Date 

Non-payroli 

2,062 

2,285 

3,222 

2,700 

3,421 

6,765 

8,864 

29,319 

Payroll 

781 

1,277 

1,012 

1,009 

1,066 

1,479 

2,161 

8,785 

Total Cost 

$2,843 

$3,562 

$4,234 

$3,709 

$4,487 

$8,244 

$11,025 

$38,104 


2. GAO stated in its report that “VA’s offices self-report computer security 
weaknesses, and it lacks an independent component to ensure the 
accuracy of reporting and validation of corrective actions taken.” How do 
you plan to address this issue? 

Overall, the Department has made significant progress in implementing the 
reporting provisions of the Government Information Security Reform Act of 2000 
(GISRA), through developing appropriate methodologies to identify, prioritize and 
remediate IT security control weaknesses. However, analysis of information 
contained in the Department's GISRA database indicates that some self-reported 
progress may be overly optimistic, or may not accurately reflect the current 
security status of some IT systems. Therefore, the VA Office of Cyber Security 
has established a review and inspection division to validate the accuracy of self- 
reported information in the GISRA database, and to conduct external and internal 
penetration testing to ensure that previously identified vulnerabilities have been 
adequately remediated. These processes will ensure the integrity of GISRA- 
reiated information as the Department moves rapidly forward in efforts to improve 
its overall IT security posture. 

3. Please articulate VA’s specific goals relating to the implementation of 
the One-VA Enterprise Architecture in FY 2003. Secondly, please provide 
the Committee an outline of VA’s timetable for full-scale implementation of 
the One-VA IT Architecture. 

The One-VA Enterprise Architecture v1.0 published in September 2002 lays out 
a logical model for the overall target One-VA Enterprise Architecture in section 
5.1 and a corresponding sequencing plan in section 6.1 . Enterprise Architecture 
by its fundamental nature is a continuous improvement process and as such is 
never done. Nonetheless, these sections of the One-VA Enterprise Architecture 
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v1.0 address the issue of specific goals and timetables for implementation of the 
One-VA Enterprise Architecture as developed thus far. The logical model 
presented in section 5.1 identifies several key elements of infrastructure as 
follows: 

• Telecommunications Infrastructure 

• Telecommunications Modernization Project (TMP), 

• Cyber Security Infrastructure 

• Enterprise Cyber Security Modernization Project (ECSIP), 

• Authentication and Authorization Infrastructure (AAI) Project, 

• Corporate and Regional Data Processing with Continuity Of Operations 
(COOP) 

• Corporate Data Center Integration (CDCI) Project. 

Each of these infrastructure elements has one or more key projects associated 
with it to implement the corresponding element of the One-VA Enterprise 
Architecture. These projects, discussed in the One-VA Enterprise Architecture 
sections 5,2 to 5.4, are also identified in the sequencing plan in section 6,1. 

Section 5.1 also identifies the top-level model for the distributed applications and 
data environment that will be supported by these infrastructure elements. Within 
that distributed applications and data environment, there are several key projects 
addressed within the One-VA Enterprise Architecture as follows: 


• One-VA Registration and Eligibility Project, 

• One-VA Contact Management Project, 

• VistA HealtheVet Health Data Repository (HDR) Project, 

• Core Financial and Logistic System (CoreFLS) Project. 

The following discussion addresses each of these key infrastructure and 
applications/data layer projects by providing a brief description, key goals, and 
projected timelines for FY 2003 to FY 2005. {No attempt is made here to project 
beyond FY 2005.) The discussion of these projects is followed by a summary of 
the future evolution of the One-VA Enterprise Architecture through the 
continuous improvement process adopted by VA. 


2 
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Project: Telecommunications Modernization Project (TMP) 

Description: The Telecommunications Modernization Project is intended to 
evolve from VA’s current state of over 30 loosely federated independent 
netw/orks to a single, high performance wide area data network capable of 
supporting enterprise wide applications and support Service Level Agreements 
(SLAs) for performance and reliability at every service delivery node on the 
network. It was initiated in FY 2002 as a re-baseline of multiple pre-existing 
network efforts across the Department. 

Goals / Timelines: 

FY 2003: Optimize the core of the One-VA Wide Area Network (WAN) to 
support regional service delivery to all VA facilities, and to support Service 
Level Agreements for every service delivery point. Establish an around the 
clock Network Coordination Center (NCC) to continuously monitor the health 
of the network and take proactive action to resolve service delivery problems. 
FY 2004: Extend service delivery from the optimized core to all VA facilities 
to complete the project. 

FY 2005: Operations and sustainment. 

Project: Enterprise Cyber Security infrastructure Project (ECSIP) 

Description: ECSIP will implement network protection devices and services 
such as firewalls, network intrusion monitors, and Virtual Private Networks 
(VPNs) to secure the boundary of the VA enterprise. ECSIP will implement a 
framework for Public Key Infrastructure (PKI), and implement a 24x7x365 Central 
Incident Response Center and Security Operations Centers to manage and 
control all network protection devices. It will also perform periodic penetration 
testing of VA networks, facilities, and applications to identify and resolve security 
weaknesses before they can be exploited by outside parties. ECSIP was 
initiated in FY 2002 as a re-baseline of multiple pre-existing cyber security efforts 
across the Department. 

Goals I Timelines: 

FY 2003: Implementation of a Central Incident Response Center with 
24x7x365 operations. Complete prototype implementation and evaluation, 
followed by initial production deployment of hardened network gateways at 
three VA corporate data centers. Initiate migration of external network and 
Internet connections to one of these corporate gateways and shut down other 
interconnections. Establish two Security Operations Centers to monitor 
network protection devices and perform periodic penetration testing. Certify 
and accredit anti-virus servers that provide on-line virus protection VA-wide. 
FY 2004: Complete production deployment of hardened network gateways at 
the remaining corporate and regional data processing centers as required to 
fully protect the boundary of the VA enterprise. Complete migration of 
external network connections and Internet connections to one of the 
corporate or regional data processing center gateways, and shut down other 
external network and internet connections. Continue operations and 
sustainment 

FY 2005: Operations and sustainment (prevent, detect and react). 
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Project; Authentication and Authorization infrastructure (AAI) Project 
Description; AAI will establish and maintain a standards-based authentication 
and authorization infrastructure that will enhance/replace simple User ID and 
Password logon access control security with stronger authentication through 
digital certificates and smart cards; and provide centralized management and 
control of network and application user access rights - the types of data and 
applications that a user may read, write, and/or update. AAI is a proposed FY 
2004 new initiative. 

Goals / Timelines; 

FY 2003; Implement a pilot of the authentication and authorization 
infrastructure (AAI) at the Austin Automation Center corporate data center. 

FY 2004; Update the proposed AAI with “Lessons Learned" from the pilot 
implementation, and initiate the production AAI implementation. 

FY 2005; Continue the AAI implementation (target FY 2006 completion). 

Project; Corporate Data Center Integration (CDCI) Project 
Description; 

The CDCI project will implement an improved continuity of operations (COOP) for 
VA corporate applications that currently operate at the Austin Automation Center 
(AAC), the Hines Information Technology Center (ITC), and the Philadelphia ITC. 
The project will significantly improve recovery time from a systems outage and 
reduce potential loss of data for mission critical and essential systems by 
providing electronic data vaulting and applications restart capability across the 
three locations. The current 72 hours will be shortened to 12 hours or less. The 
project supports the goal of ensuring VA information assets are adequately 
protected against loss. It also satisfies Presidential Decision Directive (PDD) 67 
requirement for essential processes to be available within 12 hours or less of an 
emergency event, The CDCI project is being done under the auspices of a 
Franchise Fund activity, the AAC, and is not an appropriated funding initiative. 
Goals / Timelines; 

FY 2003; Complete Operational Engineering Model (OEM) acceptance 
testing of technology needed to support protection of data and recovery of 
operations within the PDD 67 timeframe. Establish configuration and event 
management policy and procedures for use at the three centers. 

FY 2004; Complete production implementation of OEM for all mission critical 
and essential systems. 

FY 2005; Operations and sustainment. 
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Project: One-VA Registration and Eligibility Project 
Description: The One-VA Registration & Eligibility process consolidates the 
eight distinct, line-of-business-centered processes currently in use within VA to 
register veterans and make eligibility and entitlement determinations into a 
veteran-centered integrated process. A key element of this approach is 
integration with the DoD's Defense Manpower and Data Center and the DEERS 
system to ensure efficient bi-directional flow of information on veterans between 
VA and the DoD. This integration will provide, for the first time, a single unified 
view of active, retired, reserve and separated members to both VA and the DoD. 
One-VA Registration and Eligibility is a proposed FY 2004 new initiative. 

Goals / Timelines: 

FY 2003: Prototype implementation and evaluation (limited scope and scale 
within Education, Medical Care and Memorial Affairs business 
lines). 

FY 2004: Integration and deployment into VA central R&E processing 
centers for initial business lines. 

FY 2005: Integration and deployment into VA central R&E processing 
centers for second increment of business lines. 

Project: One-VA Contact Management Project 

Description: In order to accomplish the goals of One-VA both in veteran 
perception and in increased internal workflow efficiency, the development of 
One-VA National Contact Management is both strategic and critical. A 
comprehensive contact management solution will incorporate the primary 
functionality of an inbound and outbound call center and provide expanded 
service to include website support, email response, US mail inquiry response, 
targeted and bulk mailing. One-VA Contact Management will execute in parallel 
with One-VA Registration and Eligibility. One-VA Contact Management is a 
proposed FY 2004 new initiative. 

Goals / Timelines: 

FY 2003: Prototype implementation and evaluation (limited scope and scale 
within Education, Medical Care and Memorial Affairs business 
lines). 

FY 2004: Integration and deployment into VA central R&E processing 
centers for initial business lines. 

FY 2005: Integration and deployment into VA central R&E processing 
centers for second increment of business lines. 
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Project: VistA HealtheVet Health Data Repository (HDR) Project 
Description: HDR will hold individual patient medical records that delineate all 
aspects of a patients care across the continuum within VHA. The data will be 
comprised of demographics, patient centered data (e.g., medications, test 
results); encounters (e.g., purpose of visit, education, procedures, diagnosis) 
discharge summaries, etc. A perpetual store representing the veteran’s medical 
history will be managed via HDR. HDR is an ongoing project. 

Goals / Timelines: 

FY 2003: Technical strategies for the development of HDR will be defined 
and published. A HDR prototype will be designed and deployed. Based on 
prototype evaluation, the HDR design, including the completion of the 
lexicon/data mapping, will be completed. 

FY 2004: Development and integration of the HDR will be completed. Initial 
population of the HDR with VAMC data will be initiated and continue 
throughout FY 2004. 

FY 2005: The HDR Database population will be completed. The Data 
Mart/Data Warehouse implementations for HDR will also be completed. The 
repository will enter production operations by the end of CY 2005. 

Project: Core Financial and Logistics System (CoreFLS) Project 
Description: The new Core Financial and Logistics System (CoreFLS) is being 
implemented by VA to resolve repeat reportable conditions, e.g., lack of an 
integrated financial system. CoreFLS includes: Accounting and Budget, 
Contracting and Purchasing, Asset Management, and Inventory. CoreFLS will 
provide financial information in a timely and useful fashion to: (1 ) support 
management's fiduciary role; (2) support the legal, regulatory and other special 
management requirements of VA; (3) support budget formulation and execution 
functions; (4) support fiscal management of program delivery and program 
decision making, (5) comply with internal and external reporting requirements, 
including, as necessary, the requirements for financial statements prepared in 
accordance with the form and content prescribed by the Office of Management 
and Budget (0MB) and reporting requirements prescribed by the Joint Financial 
Management Improvement Program (JFMIP), Treasury; and others as 
established by law; and (6) monitor the financial management system to ensure 
the integrity of financial data. CoreFLS is an ongoing project based on 
commercial software. 

Goals / Timelines: 

FY 2003: Continue to execute Systems Development and Integration Phase. 
This will require the continuation of system configuration and refinement of 
training and change management plans to help prepare end-users for the 
change and maximize successful implementation of CoreFLS. 

FY 2004: Complete Systems Development and Integration and commence 
System Deployment and Implementation of CoreFLS which will involve 
migrating existing numerous disparate VA financial and logistics systems to a 
fully integrated financial and logistics system that supports contemporary best 
business, financial, and logistics management practices. 
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FY 2005: Continue System Deployment and Implementation of CoreFLS 
(targeting a mid FY 2006 completion). 

While there are many IT Projects in the VA IT Portfolio, these eight projects play 
foundational roles in the One-VA Enterprise Architecture vl.Oas defined to date. 
The four Infrastructure projects will provide fundamental services to virtually 
every other IT project within the portfolio. Three of the remaining four 
applications and data layer projects (One-VA Registration and Eligibility, One-VA 
Contact Management and CoreFLS) will provide functional consolidation of 
processes and functions implemented today repeatedly and duplicitatively across 
the Department, and will provide the basis for an integrated data environment 
across the Enterprise as called for in Section 5.1 of the One-VA Enterprise 
Architecture vl.O. The final applications and data layer project. Health Data 
Repository, will accomplish this same task of establishing an integrated data 
environment for clinical histories within the medical care arena. /As such, many 
of the other development initiatives will make use of the integrated data and the 
services provided by these foundational projects. 

The One-VA Enterprise Architecture itself is continuing to evolve since VA is 
implementing Enterprise Architecture as a continuous improvement process, with 
version 1.0 approved by the Secretary in September 2002 serving as the initial 
baseline. A second update is underway to be published in FY 2003 as version 
2.0, which will accomplish several objectives. Version 2.0 will clean up remaining 
review comments from version 1.0. Additionally, version 2.0 will expand the 
scope in both breadth and depth over the initial baseline (i.e., greater depth for 
foundational areas identified in version 1.0 and discussed above, as well as 
expansion to other functional areas of foundational importance and to be 
prioritized in the Department’s FY 2005 budget submission). Finally, version 2.0 
will continue the theme established in version 1.0 of coupling Enterprise 
Architecture to key Departmental processes; namely planning and budgeting, 
project execution and Project Management Oversight. 
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Chairman Buyer to U.S. General Accounting Office 
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Inited States General Accounting Office 
(Washington, DC 20548 


November 5, 2002 

The Honorable Steve Buyer 

Chairman, Subcommittee on Oversight and Investigations 
Committee on Veterans’ Affairs 
House of Representatives 

Subject: Veterans Affairs: Subcommittee Post-Hearing Questions Concerning the 
Department ’s Information Technology Management 

This letter responds to your October 10, 2002, request that we provide answers to questions 
relating to our testimony of September 26, 2002.* At that hearing, we discussed the 
Department of Veterans Affairs’ (VA) progress in improving its overall management of 
information technology, including the centralization of information technology functions, 
programs, and funding under the department-level chief information officer (CIO). We alsc 
discussed the department’s progress since last March in developing an enterprise 
architecture, improving information security, and managing important information systems 
initiatives being pursued by the Veterans Benefits Administration (VBA) and the Veterans 
Health Administration (VHA). Your questions, along with our responses, follow. 

1. On page 19, the GAO testimony stated that VA must also still develop a program 
management plan to delineate how it will develop, use, and maintain the enterprise 
architecture. GAO stated that such a plan is integral to providing definitive guidance fi 
effective management of the enterprise architecture program. According to Dr Gauss, 
VA has developed and will implement version 1.0 of the One-VA Enterprise Architectur 
which establishes ten enterprise business functions and seven key enabling functions. 
Does GAO agree that these business and enabling functions provide the management 
tools necessary to start the process for implementing VA ’s enterprise architecture? 

The Federal CIO Council’s guidance on enterprise architecture^ advises organizations to 
develop a set of controls to help them successfully manage the process of creating, changinj 
and using an enterprise architecture. These controls are intended to promote sound 
management of the enterprise architecture project through the use of plans, products, and 
requirements, including the program management plan that we referred to in our testimony. 
In particular, a program management plan would articulate critical factors guiding work on 
the architecture, including a work breakdown structure detailing the tasks and subtasks 


’U.S. General Accounting Office, VA Information Technology: Management Making Important Progress in 
Addressing Key Challenges, GAO-02-i054T (Washington, D.C.: Sept. 26, 2002). 

^Chief Information Officer Council, A Practical Guide to Federal Enterprise Architecture, Version 1 .0 
(Washington, D.C.: February 2001). 
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necessary to acquire, develop, and maintain the architecture; resource estimates for funding, 
staffing, training, workspace requirements, and equipment needs; and a roadmap for the 
initiation and completion of key project tasks. As our testimony noted, VA lacked such a 
management plan to support its enterprise architecture effort. 

While the enteiprise business functions and key enabling functions are essential components 
of the architecture that VA is developing, they cannot be considered a primary tool for 
managing the enterprise architecture effort. Rather, these business and enabling functions are 
the products of VA’s efforts to develop the baseline, or “as-is,” and identify the target, or “to- 
be,” components of its enterprise architecture. Specifically, enterprise business functions are 
externally focused functions involving direct interactions with veterans across the enterprise, 
such as providing medical care benefits, vocational rehabilitation, and employment benefits. 
Key enabling functions are those necessary to support the enterprise business functions, such 
as eligibility and registration, and enable smooth operation of the overall enterprise both 
internally and externally. 

As the CIO Council’s guidance notes, one of the initial steps in developing an enterprise 
architecture is describing the enterprise as it currently exists, including business functions 
and information flows. By identifying the business and enabling functions, VA has set the 
stage for moving toward and measuring progress against its target architecture. Nonetheless, 
while these functions represent an important accomplishment in VA’s development of its 
enterprise architecture, they do not satisfy the department’s need for a program management 
plan to help provide a sound foundation for managing the development, implementation, and 
use of the architecture. 

2. Concerning VETSNET, GAO testified that "after six years the VA still has significant 
work to accomplish, and could be several years from fully implementing the system. " In 
GAO ’s opinion, how have veterans benefited from this program, considering the 
significant capital that has been dedicated to this program? 


Although VBA has spent more than $40 million on developing the VETSNET compensation 
and pension replacement system since 1 996, veterans have not yet received measurable 
benefits from this initiative. At the time of our testimony, VBA was using its new software 
products to deliver benefits payments to only 9 of the more than 3 million compensation and 
pension benefits recipients on its rolls.^ Benefits payments to all other recipients continued 
to be made via the department’s aging Benefits Delivery Network. Moreover, subsequent to 
our testimony, VBA officials told us that at the beginning of this month they intended to 
convert the processing of the nine benefits payments being made with the new software to 
the Benefits Delivery Network. An official explained that the February 2001 pilot test using 
the new VETSNET software had in essence been a proof of concept exercise to demonstrate 


^As part of a pilot test in Febniary 2001 , VBA began processing ten original benefits claims using its new 
software. However, according to VBA, one of the ten veterans subsequently moved outside of the area covered 
by the pilot test and now receives his payments via the Benefits Delivery Network. 
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that the software could deliver benefits payments. He stated that this exercise has now been 
completed. 

VBA still has numerous tasks to accomplish before its software applications comprising the 
compensation and pension replacement system can be fully implemented and capitalized 
upon. As our testimony noted, all but one of the six software applications constituting the 
new system"' still need to be fully deployed or developed. Specifically, two applications — 
Share, which is used to establish a claim, and Modem Award Processing-Development, 
which is used to help develop a claim — still need to be implemented in the majority of 
VBA’s 57 regional offices.^ In addition, three applications continue to require development 
and, according to VBA officials, are not expected to be fully deployed until December 2004. 
At that time. Award Processing will be expected to record award decisions; generate, 
authorize, and validate on-line awards; and interface with a correspondence application to 
develop notification letters to veterans. The Finance and Accounting System will be 
expected to perform accounting and benefits payments functions and interface with the 
Department of the Treasury. 


Beyond these applications that VBA must still deploy and/or develop, it faces the more 
immediate task of ensuring that the one application already deployed — Rating Board 
Automation 2000 — is utilized to its full potential. When implemented in November 2000, 
this application was expected to assist veterans service representatives in rating benefits 
claims. However, according to a VBA official, some regional offices indicated that rather 
than improve service delivery, use of the software tool actually resulted in longer processing 
times. Given the department’s backlog of compensation and pension benefits claims, the 
undersecretary for benefits subsequently suspended the requirement for regional offices to 
use the software until its backlog had been reduced. At the time of our testimony, VBA did 
not plan to require its regional offices to fully utilize this software until July 2003. 

3. Since VA has been given the lead in making the renamed Federal Health Information 
Exchange (FHIE) a reality, what must be done to assure successful implementation? 


Successful implementation of FHIE will largely depend on the extent to which consistent and 
effective project management and oversight exists to guide the initiative. In April 2001,* we 
recommended that the participating agencies — VA, the Department of Defense (DOD), and 


^The six software applications constituting the replacement system are Share, Modem Award Processing- 
Development, Rating Board Automation 2000, Award Processing, Finance and Accounting System, and 
Correspondence. 

^Among the 57 regional offices that are expected to benefit from the replacement system, only 6 currently use 
Share to establish a claim; only 2 offices (Salt Lake and Little Rock) have pilot-tested and currently use Modem 
Award Processing-Development to assist in developing most compensation claims. 

\j.S. General Accounting Office, Computer-Based Patient Records: Better Planning and Oversight hy VA, 
DOD, and IMS Would Enhance Data Sharing, GAO-01-459 (Washington, D.C.: Apr. 30, 2001). 
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the Indian Health Service — take various actions to strengthen the management and oversight 
of the government computer-based patient record (GCPR) project (the predecessor strategy). 
These steps included (1 ) designating a lead entity with final decision-making authority and 
(2) creating comprehensive and coordinated plans that included an agreed-upon mission and 
clear goals, objectives, and performance measures to ensure that the agencies could share 
comprehensive, meaningful, accurate, and secure patient health care data. We reiterated the 
need for VA to implement these recommendations in our June 2002 report,’ and also made 
additional recommendations that the participating agencies (1) revisit the original goals and 
objectives of the GCPR initiative to determine if they remained valid and, where necessary, 
revise the goals and objectives to be aligned with the current strategy and direction of the 
project; and (2) commit the executive support necessary for adequately managing the project 
and ensure that sound project management principles are followed in carrying out the 
initiative. VA concurred with these recommendations. 

The actions that VA and DOD took in response to the recommendations resulted in a revised 
strategy whereby patient data would be exchanged and a common health information 
infrastructure and architecture comprised of standardized data, communications, security, and 
high-performance health information systems would be developed. VA and DOD intend to 
accomplish this with two initiatives. The first, FHIE, is focused on DOD providing 
information to VA clinicians. A second initiative, referred to as HealthePeople (Federal), is 
intended to allow the two-way exchange of clinical information, with an emphasis on 
establishing a common health information inlrastructure and architecture. VA and DOD 
have stated that they plan to complete this initiative by the end of 2005, 

Along with designating VA as the lead agency for FHIE, VA and DOD took actions to 
improve project management that should continue to help guide this initiative to a successful 
outcome. For example, 

• goals and objectives have been revised and aligned with the new FHIE strategy; 

• a permanent project manager has been assigned to the initiative, and he is using project 
management software to facilitate the monitoring of assigned tasks; 

• executive-level reviews are being conducted for systems development and deployment 
approval; 

• weekly testing and technical meetings are being held; and 

• monthly interagency in-process reviews are being conducted by VA’s Deputy CIO for 
Health and DOD’s CIO for Military Health Systems. 

VA and DOD officials reported that the nationwide deployment and implementation of the 
first phase of FHIE was successfully completed in July. The first phase has enabled the one- 
way transfer of demographic information,* laboratory results, outpatient pharmacy data, and 


’U.S. General Accounting Office, Veleram Affairs: Sustained Management Attention h Key to Achieving 
Information Technology Results, GAO-02-703 (Washington, D.C.: June 12, 2002). 

**The demographic information consists of patient name, DOD eligibility category, Social Security number, 
address, date of birth, religion, primary language, sex, race, and marital status. 
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radiology reports for separated service members from DOD’s Military Health System 
Composite Health Care System to VA’s FHIE repository. Clinicians throughout VHA now 
have access to over 14 million lab messages, almost 14 million pharmacy messages, and over 
2 million radiology messages on over 1 million service personnel who separated between 
1987 and 2001. 


A second, final phase of FHIE began in October and is intended to make additional health 
information — in-patient histories, diagnoses, and procedures; allergy information; admission, 
disposition, and transfer information; and consult results — available to VA clinicians. This 
phase will rely on the existing technology supporting phase 1, and thus will only involve 
adding data to the existing repository. Completion of the final phase is scheduled for 
September 2003. 

As VA and DOD proceed with implementing the final phase of FHIE and move forward with 
HealthePeople (Federal), providing consistent project management and oversight will 
continue to be essential for successful project completion. As such, sustained adherence to 
the program management structure that VA and DOD have already pul in place will be 
critical. Moreover, these agencies can further strengthen their management and oversight 
through the use of performance measures to gauge the progress and effectiveness of their 
efforts. 

4. The VA testified that HeahheVet-Vista should be implemented by the end of 2005. In 
GAO'S opinion, is this timetable realistic? Please elaborate. 


As noted, beyond FHIE, VA and DOD have envisioned a long-term strategy — HealthePeople 
(Federal) — involving the two-way exchange of patient health care information. This 
exchange is expected to depend on the successful interoperability, and resultant sharing of 
secure health care data, between DOD’s Composite Health Care System (CHCS) II and VA’s 
HealtheVet VISTA, both of which continue under development. 

At this time, we are unable to determine whether plans for implementing this long-term 
strategy are realistic. When our review concluded, VA and DOD had just begun this 
initiative, and program officials stated that they had not completed an implementation plan. 
Until DOD’s CHCS II and VA’s HealtheVet VISTA have been fully developed and a plan 
detailing the work tasks, resources, and completion milestones for HealthePeople (Federal) 
has been developed and made available for our review, we will not have a basis for assessing 
VA’s potential for implementing this initiative by the end of 2005. 

We requested comments on a draft of this letter from the Department of Veterans Affairs, 
but none were provided. 

We are sending copies of this letter to the Secretary of Veterans Affairs and other interested 
parties. Should you or your office have any questions on matters discussed in the letter, 
please contact me at (202) 512-6253. I can also be reached by e-mail at 
willemsseni@gao.gov . 


Sincerely yours. 



/Joel C. Willemssen 

Managing Director, Information Technology Issues 
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